{
    "apiVersion": "v1",
    "items": [
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/df6124a9-73bb-4606-be13-f6dccbcb0cf9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:27:30Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "kon3b6d3aef108776388619ec0c5839258c-coverity-availability-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "43381",
                "uid": "df6124a9-73bb-4606-be13-f6dccbcb0cf9"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:27:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:27:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon3b6d3aef108776388619ec0c7480c15a01444f9cf667d55c00461b8a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-03T09:27:40+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:27:32Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2d68b5457cbd83363d0ad6c433a4299bef0c28c463be2456596b1e09673d9a90",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:40Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-03T09:27:40+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:40Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/efc441dd-d880-4058-8719-c69e2f77314a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:27:30Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "kon3b6d3aef108776388619ec0c5839258c-deprecated-base-image-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "43365",
                "uid": "efc441dd-d880-4058-8719-c69e2f77314a"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:27:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:27:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon3b6d3aef108776388619ec0c52eaf8b3c60186df584b55013cba18c3-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\", \"digests\": [\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:27:45+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:27:30Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://37872a87deae3aaf9b2c651876ed6797e12ba1563276cfa81f48ff463c4f186a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:45Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\\\", \\\"digests\\\": [\\\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:27:45+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:38Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/45e1efc6-0b47-4f15-a365-056170a82148",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:22:19Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "kon9cf96e779ee0d71e28ce38a5075bf1a8-coverity-availability-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "38174",
                "uid": "45e1efc6-0b47-4f15-a365-056170a82148"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:22:30Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:22:30Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon9cf96e779ee0d71e28ce38a571c78befaa7c260ed9ae5967d101cb7d-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-03T09:22:28+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:20Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b89bed92db4e351e0663d7d117f1612bef73906d82cb2213df35c3a9c7209735",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:28Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-03T09:22:28+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:28Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/7f838544-3f9b-4f2e-8455-82b4c6385c6d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:22:19Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "kon9cf96e779ee0d71e28ce38a5075bf1a8-deprecated-base-image-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "37854",
                "uid": "7f838544-3f9b-4f2e-8455-82b4c6385c6d"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:22:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:22:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon9cf96e779ee0d71e28ce38a5f9519b8717dfd81671d628c893524a5a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\", \"digests\": [\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:22:33+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:19Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8ef0fcdbf9c6bba813b727ad7d8054b2a9f8832c3d4285a2feee5b7c278b49c3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:34Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\\\", \\\"digests\\\": [\\\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:22:33+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5dd31015b4",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/fe47f842-830d-4841-8c97-e88675f2d7f6",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:24:59Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-t3b6d3aef108776388619ec0c5839258c-prefetch-dependencies",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "41481",
                "uid": "fe47f842-830d-4841-8c97-e88675f2d7f6"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2b298fb171"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-tdgejf"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:25:08Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:25:08Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-t3b6d3aef10877638866cba4760d2ccc178dea6139829f9194b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-03T09:24:59Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c211f00888bb04c08d935b94a701417df8df0ae8a20e43fa83c4e9f841f5acf4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:25:08Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:25:03Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-6095c5874a",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/f0476cc8-7604-4cb8-9838-4cee7df04ad0",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:19:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-t9cf96e779ee0d71e28ce38a5075bf1a8-prefetch-dependencies",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "35850",
                "uid": "f0476cc8-7604-4cb8-9838-4cee7df04ad0"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-9fda02ee57"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-ggmahh"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:20:03Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:20:03Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-t9cf96e779ee0d71e28e9f689332a498b573ad69fd16948d51d-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-03T09:19:55Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7152abc23d07ab405472513dc55497c052b95d1b38c91ead7b3fb547e61c7013",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:20:03Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:19:59Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/b86bf837-0f6f-4591-8e97-ca64e9f7dfc3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:27:31Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-tes3b6d3aef108776388619ec0c5839258c-rpms-signature-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "44072",
                "uid": "b86bf837-0f6f-4591-8e97-ca64e9f7dfc3"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:28:09Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:28:09Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-tes3b6d3aef10877638f9b96f3e6f3c9ba400b8e9c15a844349-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\", \"digests\": [\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 132, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:28:06+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:27:34Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ba4d2acfe20f956b15bae371b54ccf83949386ebac34bd46b241b3a5a37080db",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:05Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:47Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7ed8dc5296208105302427c0822f434a936e3556f2b52a1c6edf73acc592b2cf",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:06Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\\\", \\\"digests\\\": [\\\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 132, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:28:06+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:06Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/6f758db7-e1c6-41f7-baaa-15e103d31462",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:22:19Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-tes9cf96e779ee0d71e28ce38a5075bf1a8-rpms-signature-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "38449",
                "uid": "6f758db7-e1c6-41f7-baaa-15e103d31462"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:22:56Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:22:56Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-tes9cf96e779ee0d71e3d691bc1137b458a4bb0f9c2360dc83a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\", \"digests\": [\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 132, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:22:53+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:23Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://bfbe716b0ca0da879dcd489f28da90a531055a45b77a6aa2a5ec30df39ecc269",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:52Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c39a1b6d632093d625aa279ee82c2eedac288873e612f0c9c147c50e68b8dfe5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:54Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\\\", \\\"digests\\\": [\\\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 132, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:22:53+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:53Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/032152f5-d967-4508-b362-1f8e57fad65b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:27:20Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-test-3b6d3aef108776388619ec0c5839258c-build-image-index",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "42995",
                "uid": "032152f5-d967-4508-b362-1f8e57fad65b"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "b93015c813a048b44df2a1f6848f294e54b809cc"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc@sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:27:30Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:27:30Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-3b6d3aef108776286e48f9cc08052e9e99a5e98ad249a4-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    }
                ],
                "startTime": "2026-07-03T09:27:20Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://47a0a665d040563362735363e4db1bfd79d45a8f77f73b9f9a6a812870040407",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:27Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:24Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cee14a94d016325e684a92c1b535152cdac89c5fc8fc77397ec1a1cd2afca982",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:27Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:27Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8f24baec775eb5e6152246ab48cf8832b8e32738fbeb1153579fd05dbb97e76b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:30Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "b93015c813a048b44df2a1f6848f294e54b809cc"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc@sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:konflux-test-3b6d3aef108776388619ec0c5839258c-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:konflux-test-3b6d3aef108776388619ec0c5839258c-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/a4d197a3-e42d-4385-b7b0-87cffd33e42c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:22:09Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-test-9cf96e779ee0d71e28ce38a5075bf1a8-build-image-index",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "37654",
                "uid": "a4d197a3-e42d-4385-b7b0-87cffd33e42c"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6@sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:22:19Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:22:19Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-9cf96e779ee0d797b2b87799350ba3564f64b277cf7af1-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    }
                ],
                "startTime": "2026-07-03T09:22:09Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8232e440b91c4388bf4783fd12da0ddcdd2b4fc01e599e1813d23caa47aa0ad8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:15Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:13Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://40f35feab93a89ec15c44d0b314fef68a1f0ea6a4267ddb4e12eed87cba9730b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:16Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:16Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://98c373cd79ce05ece68a827ce432e18c2ab12ea415b86784fc8de60ac2984dcc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:18Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:16Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "7d75ea79923fbfb364a3933b82706d14ed207ae6"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6@sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:konflux-test-9cf96e779ee0d71e28ce38a5075bf1a8-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:konflux-test-9cf96e779ee0d71e28ce38a5075bf1a8-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5dd31015b4",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/2a199fe6-c72a-4934-bbf6-e3da03127ce8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:24:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-test-i3b6d3aef108776388619ec0c5839258c-clone-repository",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "41408",
                "uid": "2a199fe6-c72a-4934-bbf6-e3da03127ce8"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "revision",
                        "value": "b93015c813a048b44df2a1f6848f294e54b809cc"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2b298fb171"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-tdgejf"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:24:55Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:24:55Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i3b6d3aef10877e8fb74a2a6d945e2190dab1f23269d4c-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "b93015c813a048b44df2a1f6848f294e54b809cc"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "b93015c813a048b44df2a1f6848f294e54b809cc"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783070643"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "b93015c"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    }
                ],
                "startTime": "2026-07-03T09:24:50Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6c513e90ea7bd42d57da0ae432910952d42faf5a1241a84955fe95b2e6e022a9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:24:53Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783070643\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"b93015c\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:24:53Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://973938e64effdfdf65bbead59e515f3139089dde48ed077d7e3ffcef396e91d7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:24:54Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783070643\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"b93015c\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:24:54Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "b93015c813a048b44df2a1f6848f294e54b809cc"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5dd31015b4",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/d04e1276-7dd0-450c-b237-5fb340de0ae3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:27:30Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-test-i3b6d3aef108776388619ec0c5839258c-sast-shell-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "43496",
                "uid": "d04e1276-7dd0-450c-b237-5fb340de0ae3"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2b298fb171"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:27:53Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:27:53Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i3b6d3aef1087764931901dc8be833c56b96febbdb72b5-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:27:46+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:27:32Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5a13b0a5a000e83b3c4f298bb1696c93ecb628487edb2ed651df04ce1e9d46c0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:46Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:27:46+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:44Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6a4e11eafd461f24c9859975e028ace20ce384f4c51a077c0a2c152b5498b48c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:48Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:27:46+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:47Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-6095c5874a",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/d2f07be2-fb47-4dc9-8769-bf7c8870dc4d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:19:45Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-test-i9cf96e779ee0d71e28ce38a5075bf1a8-clone-repository",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "35684",
                "uid": "d2f07be2-fb47-4dc9-8769-bf7c8870dc4d"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "revision",
                        "value": "7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-9fda02ee57"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-ggmahh"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:19:51Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:19:51Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i9cf96e779ee0dec02f3bb84f862a29475fe056ac45834-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783070352"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "7d75ea7"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    }
                ],
                "startTime": "2026-07-03T09:19:45Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8fee2d875b877a8bf5d58779bfe00d55e1dc336d35a79b7048a5278ac79eea74",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:19:50Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783070352\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"7d75ea7\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:19:49Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d4db9ae1c3319c8ebbeded985b1486efab0527e8a13a4b87e7ce8f6a605c9fce",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:19:51Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783070352\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"7d75ea7\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:19:51Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-6095c5874a",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/bb8bece8-7e88-4d09-a8bc-209ae0507948",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:22:19Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-test-i9cf96e779ee0d71e28ce38a5075bf1a8-sast-shell-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "38210",
                "uid": "bb8bece8-7e88-4d09-a8bc-209ae0507948"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-9fda02ee57"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:22:37Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:22:37Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i9cf96e779ee0d2cb2cb99378ad3a9fc77bc3f9b2a442d-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:22:34+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:21Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d78df8a78b3c978620071c7dab95ab468a19a269350ca295580857e0eec3866f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:34Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:22:34+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://997d31ccaf15c92a5294da9c3d1b191e11ec69fc265ad150fb4edc2ca445fb2a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:36Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:22:34+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:35Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5dd31015b4",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/8438927a-529b-4259-a31d-2dfb17d076ee",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:25:12Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-test-in3b6d3aef108776388619ec0c5839258c-build-container",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "42370",
                "uid": "8438927a-529b-4259-a31d-2dfb17d076ee"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "b93015c813a048b44df2a1f6848f294e54b809cc"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2b298fb171"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:27:20Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:27:20Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in3b6d3aef10873db96f9bb946a18e0602d0851f08520c-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc@sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:0c71d5304b8c2637e525bb598b6ea31e98611f248777db6f9c11b5393522ca62"
                    }
                ],
                "startTime": "2026-07-03T09:25:13Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ad34ee42b8d2eda200c6de8291dac93c8748efe690d9d7da406e0c4dd6d75f93",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:26:15Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:25:19Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0bdb5287d9fd6dca4a0ef0df4cb78c031b3af7a50a5ec853d911ffcd568f548b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:26:25Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc@sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:26:15Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://076b3bd587dc0d4c92e920f39a0cbbc69c7d2843370365db04d36073e18cca7b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:26:35Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc@sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:26:26Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://46394a2efc5978bfdf15c3685ccace5c561bdaf62b1c937a6c79c871f6fbe9f4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:26:53Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc@sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:26:35Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7d9020508b340dfdce979cb4e1791db6ab14befda90ac3e759550cec638cdc01",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:20Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc@sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:0c71d5304b8c2637e525bb598b6ea31e98611f248777db6f9c11b5393522ca62\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:26:53Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "b93015c813a048b44df2a1f6848f294e54b809cc"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "konflux-test-in3b6d3aef108776388619ec0c5839258c-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5dd31015b4",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/24d29664-dc99-4dfb-b8be-7b317591f5a8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:27:31Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-test-in3b6d3aef108776388619ec0c5839258c-push-dockerfile",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "44084",
                "uid": "24d29664-dc99-4dfb-b8be-7b317591f5a8"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2b298fb171"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:27:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:27:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in3b6d3aef10872ba8d031cb49b95abde4ad56537865b8-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:ec5ea7cc047a6ddd7577193922ccbed2c9033a7a96be2065dd14e3c8b3955720"
                    }
                ],
                "startTime": "2026-07-03T09:27:33Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7abb25c0336e50782f2b3de5d7d3281135317ee3fc7b25c3e4b879ef6d73be3f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:45Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:ec5ea7cc047a6ddd7577193922ccbed2c9033a7a96be2065dd14e3c8b3955720\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:44Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                ".",
                                "--containerfile",
                                "Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc",
                                "--image-digest",
                                "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5dd31015b4",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/6e46a7ff-0dea-456f-85d1-9b0c6add3af1",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:27:30Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-test-in3b6d3aef108776388619ec0c5839258c-sast-snyk-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "43242",
                "uid": "6e46a7ff-0dea-456f-85d1-9b0c6add3af1"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2b298fb171"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:27:46Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:27:46Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in3b6d3aef1087e05d8912d5620401ce9d1e45d4065a8d-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-03T09:27:43+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:27:31Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d1c0525d0606dd676ee96751d32dc1632c89f380e2dad0ed279453f3947c0f2d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:43Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:27:43+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:42Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b7a4d26d56c99b59da0ef27e48e4a12681cc6e266b2cb1a64a6880fe1714db18",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:44Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:27:43+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:44Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-6095c5874a",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/e5b7d8fc-bae3-4632-8c3b-751fd0ab33f7",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:20:06Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-test-in9cf96e779ee0d71e28ce38a5075bf1a8-build-container",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "36930",
                "uid": "e5b7d8fc-bae3-4632-8c3b-751fd0ab33f7"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-9fda02ee57"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:22:09Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:22:09Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in9cf96e779ee025a0794f3d5fca316d5918e40974c3d2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6@sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:29e3c3b1ad5142c01fb675b246a7b0f3892bd4ee716fbdeff9f7a58925126962"
                    }
                ],
                "startTime": "2026-07-03T09:20:06Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a78eabc44724ace28871e37c9bad087a9f4c49ae6bd5666c9f081d1f94a54216",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:20:53Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:20:13Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1f68687bb4ea5a7f5dc189c5d39e29b7f86e67cf9def5badc9961ae398fb0c45",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:21:13Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6@sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:20:53Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://624642b50f6d3e15807ecc2e41aceb1c5504a4c691fd17399f4745a421a55411",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:21:22Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6@sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:21:13Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f469f69ba668efcc523d6242248fb0f06cf45223618d94dcea255294f03d7de0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:21:40Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6@sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:21:23Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://db6152408f650d0b989ad163e50f9464504d7dfb8416484af0d491bc3977325a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:08Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6@sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:29e3c3b1ad5142c01fb675b246a7b0f3892bd4ee716fbdeff9f7a58925126962\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:21:41Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "konflux-test-in9cf96e779ee0d71e28ce38a5075bf1a8-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-6095c5874a",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/a31705ea-8669-4674-a7ce-1726ec16c3a8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:22:19Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-test-in9cf96e779ee0d71e28ce38a5075bf1a8-push-dockerfile",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "37794",
                "uid": "a31705ea-8669-4674-a7ce-1726ec16c3a8"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-9fda02ee57"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:22:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:22:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in9cf96e779ee0ad699c72f98bc362205bd38a23059e87-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:a213aec24e95c836839b9570d0ae4d35c03810da02e412544154d5951639deb1"
                    }
                ],
                "startTime": "2026-07-03T09:22:22Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d671a83b7a61aa0fb05bd5d1445df32a09cd30c6e45a74131c434b3d7081a3e9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:33Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88@sha256:a213aec24e95c836839b9570d0ae4d35c03810da02e412544154d5951639deb1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:32Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                ".",
                                "--containerfile",
                                "Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6",
                                "--image-digest",
                                "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-6095c5874a",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/4a00a3c0-4c4b-44c9-b4d0-cdf4e4308e7f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:22:19Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-test-in9cf96e779ee0d71e28ce38a5075bf1a8-sast-snyk-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "38009",
                "uid": "4a00a3c0-4c4b-44c9-b4d0-cdf4e4308e7f"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-9fda02ee57"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:22:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:22:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in9cf96e779ee017853e1a55b5eb0bc00a21140b4d951c-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-03T09:22:33+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:19Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6e579421e8d84f6031ebefea8d27a2ad521007a6681fb5ceaa844ddb7d52cdb2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:22:33+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:32Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e6e34718dfea4c818d654d448b3cfa2973aa77dc7943bf005d3c1429d6220a42",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:34Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:22:33+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:34Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/922fbfb4-c438-42f3-a270-7e125c8228cb",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:27:30Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-test-integr3b6d3aef108776388619ec0c5839258c-clamav-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "45380",
                "uid": "922fbfb4-c438-42f3-a270-7e125c8228cb"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:28:18Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:28:18Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integr3b6d3aef024add450924b5ced2e103e51e248bde-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\", \"digests\": [\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783070891\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-03T09:27:31Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:9b2b049119587b5e4e09297ce119396c17717381bbcd1a89041fdf3216073d36",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://37de2cfac0dcd611d0144aa48daa2452ba1d9c87b3ce8df1e1ec5a8e1343cd60",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:12Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\\\", \\\"digests\\\": [\\\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783070891\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:42Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7e2be24ef573d9fc9b3ca125df5a73b4ca33fedc6467f021accc6b2498eb3a0d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:15Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\\\", \\\"digests\\\": [\\\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783070891\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:12Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/42ca7af7-0e85-472b-9ef3-53ed574e55ec",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:22:19Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-test-integr9cf96e779ee0d71e28ce38a5075bf1a8-clamav-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "39374",
                "uid": "42ca7af7-0e85-472b-9ef3-53ed574e55ec"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:23:04Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:23:04Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integr9cf96e77176d6ae5facee2444fcc9c534f1e1173-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\", \"digests\": [\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783070581\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:20Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:9b2b049119587b5e4e09297ce119396c17717381bbcd1a89041fdf3216073d36",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://16f30fead84a522b3f121f1c49f1ec7182fe58f23f7526665f21aff849e6b8f9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:01Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\\\", \\\"digests\\\": [\\\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783070581\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:32Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e33d4a836e33a23d563da3b6038596ad932d3d45322f0b96a5acd39e578a1c8e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:03Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\\\", \\\"digests\\\": [\\\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783070581\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:01Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/865ab143-d815-4cd1-927c-ae6efcd2342c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:27:31Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-test-integra3b6d3aef108776388619ec0c5839258c-apply-tags",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "43825",
                "uid": "865ab143-d815-4cd1-927c-ae6efcd2342c"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:27:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:27:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra3b6d3aee12cdeaba91d76183eef7444a961eb4c-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-03T09:27:33Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://06b5ad3d5d1dc61f315fe0bd37ab171a739d73d633962fcc02e292794b90b7ca",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:41Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:40Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc",
                                "--digest",
                                "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/64f8ddfc-515d-441b-a352-d9d0b25f3c59",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:27:30Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-test-integra3b6d3aef108776388619ec0c5839258c-clair-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "45072",
                "uid": "64f8ddfc-515d-441b-a352-d9d0b25f3c59"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:28:13Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:28:13Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra3b6d3ae09f7bcb8b96cfefdb392aa957e256d2b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\", \"digests\": [\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\":\"sha256:00eb225ec3ca4ce94d4a87f6f897fd411d10906841f09edb48d4b005f1689d59\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":147,\"low\":150,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:28:10+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:27:30Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2243479cc8ea6b8c4d6c301ac10c106c8ea1da9beb5210ad605fa9f4f03fb46a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:47Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b56de12cf63619a2b1dc0eb2b3e5c5059d0f69d5c6c46135c28f69e05d5d2d21",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:04Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:48Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4ef6cb939c3830e8b257690e4b524fe5572add25f3fd49d536c0cc46739dbb05",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:06Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://144ea5d7eae55aa6e4188c8e67ea7291a35efb398cb99f8240dda45e8a526dbd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:10Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\\\", \\\"digests\\\": [\\\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\\\":\\\"sha256:00eb225ec3ca4ce94d4a87f6f897fd411d10906841f09edb48d4b005f1689d59\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":147,\\\"low\\\":150,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:28:10+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:06Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/c925ce7a-5b7e-4f1a-ac17-52a506a19293",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:22:19Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-test-integra9cf96e779ee0d71e28ce38a5075bf1a8-apply-tags",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "38359",
                "uid": "c925ce7a-5b7e-4f1a-ac17-52a506a19293"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:22:33Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:22:33Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra9cf96e7a450d6a98dfd9c0f8df05db44dc1a338-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-03T09:22:22Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://60d0939ae07caa9f587390dfa7b6f1ed8d3bf99ad5faef96b4ea67ed213b9809",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:32Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:31Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6",
                                "--digest",
                                "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/c05dba01-74e0-4f8e-b286-7735504d0698",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:22:19Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-test-integra9cf96e779ee0d71e28ce38a5075bf1a8-clair-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "39418",
                "uid": "c05dba01-74e0-4f8e-b286-7735504d0698"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:23:24Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:23:24Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra9cf96e7022fe0e81b5af2711d08b4ef0c2eb00e-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\", \"digests\": [\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\":\"sha256:ac074d170fcc5bee7b9fbb271a9aa6bd46ec08fa07ca2c5ea6872699584c0829\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":147,\"low\":150,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:23:11+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:19Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://261babf64c4a3962957c62c9bbc878591b7c5cbb6904ed0d3e8ae8f0db95398d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:37Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2e43e56da6df0d86d60313ce3e7aba2dc7482868f8a8b38f9939cf78e771f7f5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:05Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:38Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://13ccbe2cd8fbbd883f34f1c9c0eb52308b94c0a98f0f26e30f8d8bd0613c472e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:07Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:05Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://715451edb8b2822ab51fb0ce425492791abb024542f9771ee90f6f265d98efd0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:11Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\\\", \\\"digests\\\": [\\\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\\\":\\\"sha256:ac074d170fcc5bee7b9fbb271a9aa6bd46ec08fa07ca2c5ea6872699584c0829\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":147,\\\"low\\\":150,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:23:11+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:07Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/d338254b-80a3-4299-bd87-bb84cb717090",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:24:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-test-integration-c3b6d3aef108776388619ec0c5839258c-init",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "41374",
                "uid": "d338254b-80a3-4299-bd87-bb84cb717090"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:24:44Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:24:44Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-c3d1c71842aeaeeb6ca6678032010ade68-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-03T09:24:41Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cb8489efd07aa896374cd8ad7b5f7320ccc5868018fbf398ef510b820b454e36",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:24:44Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:24:44Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/ab09ac0b-8e98-4ec2-a7ee-d7feefb5027b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:19:37Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-test-integration-c9cf96e779ee0d71e28ce38a5075bf1a8-init",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "35459",
                "uid": "ab09ac0b-8e98-4ec2-a7ee-d7feefb5027b"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:19:40Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:19:40Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-c9ef29df60afd57c11f1152351e7432462-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-03T09:19:37Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e80fd6cce5626540b3476c2489670c529d440fccc64a76e65fdd59472ac78d40",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:19:40Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:19:40Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/8ee05295-747d-4725-90d3-a3522910b8d5",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:27:30Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-test-integration-clone-7f21ba73c88994d8e6c8619ad4019f38",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "45166",
                "uid": "8ee05295-747d-4725-90d3-a3522910b8d5"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:28:09Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:28:09Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-cl50d2e76588afe83df6e492d301e7efa0-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\", \"digests\": [\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070886\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-03T09:27:31Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://74271c585cd5dc0bae2d371eb036493d58ccfe57202789616dbf500acd956259",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:44Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://15d6bf40159768c45eaca0bc489fe32a555a671fc805431f28d2117bb7f099da",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:44Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:44Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://aea2b5aec829c4edebb2bd2ff7d7c56bcbf8b5b68c758e4a6409d3c7fc3db11d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:44Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:44Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8f4d65233bb55e74190d84950c08c9fb8e0184d3523befee01ef868d69e5f8e6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:05Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:45Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\", \"digests\": [\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070886\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://a4e593b7e545ce650617b96750fbb48b2cad2bb27adc230a30a0bc236c9ecbce",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:06Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc\\\", \\\"digests\\\": [\\\"sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783070886\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:06Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070886\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://e09791361d2447e466af59fec6590dd09b175c7f02f65f98e08412cfb283dc49",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:07Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783070886\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:07Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/74c21507-fe97-4e2f-982d-1ecf7abf35b7",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:22:19Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-test-integration-clone-9b162689b5f604ab2d78c5ebe9d25bac",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "39317",
                "uid": "74c21507-fe97-4e2f-982d-1ecf7abf35b7"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:23:03Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:23:03Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-cl7be8b44122bde70937bd57c811fbe087-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\", \"digests\": [\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070581\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-03T09:22:19Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://4c2ad839cf26df72e165891b9d65ee0aa7bb9bd89c8349822055ba8f4b9dd2c8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:34Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://c9fa8eda231e59305fc4e47e9684784ccace16486f2a7bde0dda0e4a7172e3bb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:34Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fc478ee8aadcacc90bc1fa254e6c966a36d25e22d24824cbb9d856d5f70e9382",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:35Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:35Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5db54b3f5b6284c4149e777a9564f7b058d79510529ccadb64a358040ad1908d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:00Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:35Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\", \"digests\": [\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070581\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://6ae4f37c16afdf690ccda7763795337195ce43bdfb3209877eca64471786bb55",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:01Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6\\\", \\\"digests\\\": [\\\"sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783070581\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:01Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070581\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://30eae35f03b6c8a20cf1810b5e9cc9a8dd1b945d261c91b79ac5d34401303260",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:02Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783070581\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:02Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/commit_sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "build.appstudio.redhat.com/pull_request_number": "9609",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5dd31015b4",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tdgejf",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7/records/8cb36cb5-9a24-47eb-aba7-a09b4c21d55d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"b93015c813a048b44df2a1f6848f294e54b809cc\",\"eventType\":\"pull_request\",\"pull_request-id\":9609}",
                    "results.tekton.dev/result": "group-i4dp/results/98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:27:30Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969861206",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9609",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "b93015c813a048b44df2a1f6848f294e54b809cc",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                    "tekton.dev/pipelineRunUID": "98825e1a-9891-42cb-af8d-5a63f91639f7",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "konflux-test3b6d3aef108776388619ec0c5839258c-sast-unicode-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-9np5w",
                        "uid": "98825e1a-9891-42cb-af8d-5a63f91639f7"
                    }
                ],
                "resourceVersion": "43844",
                "uid": "8cb36cb5-9a24-47eb-aba7-a09b4c21d55d"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2b298fb171"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:27:53Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:27:53Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test3b6d3aef1087763f777b9f2bfbe4c69373a6c962fc69aa1-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:27:46+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:27:32Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2064e728c1049b33f394b1764e430f49feb7f1f8d466d53404d7254664030cbf",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:46Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:27:46+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:44Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e9ea7cb5e58111995128773c0cc74c763699b6444b7204d8785f4c9aceb9da0f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:48Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:27:46+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:47Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-b93015c813a048b44df2a1f6848f294e54b809cc"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d8e72fb38f1c475df7ac8ef72bf99c4cf1dd052e0a3528312313c2c14bad9c2e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/commit_sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "build.appstudio.redhat.com/pull_request_number": "9608",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-6095c5874a",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ggmahh",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca/records/2d60aed7-292f-4ed5-9d56-bf5422042f02",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"7d75ea79923fbfb364a3933b82706d14ed207ae6\",\"eventType\":\"pull_request\",\"pull_request-id\":9608}",
                    "results.tekton.dev/result": "group-i4dp/results/9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-ld7t88",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:22:19Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-ld7t88",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969005529",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-ld7t88-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9608",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-ld7t88",
                    "pipelinesascode.tekton.dev/sha": "7d75ea79923fbfb364a3933b82706d14ed207ae6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                    "tekton.dev/pipelineRunUID": "9e58fa08-a11d-4584-a021-5b1cc07863ca",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "edbeabfd827400ac3bfec9b61ce3693a2847caaf0da2ea172da74adf84c60c"
                },
                "name": "konflux-test9cf96e779ee0d71e28ce38a5075bf1a8-sast-unicode-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-ld7t88-on-pull-request-f9zqz",
                        "uid": "9e58fa08-a11d-4584-a021-5b1cc07863ca"
                    }
                ],
                "resourceVersion": "38329",
                "uid": "2d60aed7-292f-4ed5-9d56-bf5422042f02"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-ld7t88",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-9fda02ee57"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:22:37Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:22:37Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test9cf96e779ee0d7186cf1e96c1974599e0d3cc555b05bf17-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:22:35+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:21Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6dfee3e22916d4185fbc3fb245b8f4fd427bbdf0578e7d79c061722660ce9c27",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:35Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:22:35+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3d243c70b77a6e6da19409be4d641a7dbf029cf50a7212baa3627cfeebf5c32a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:37Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:22:35+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:35Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/konflux-test-integration-clone-ld7t88:on-pr-7d75ea79923fbfb364a3933b82706d14ed207ae6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e591d78d47462608db593edbf9516b96e0c6a38c8cd4e152c254ec9fd9695b4d"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/bf13e1a0-afe3-4908-8cd8-57b78d89cef5",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:17:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "pyt63090fcc62a458c135e2e0bf0e2a4a01-coverity-availability-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "33399",
                "uid": "bf13e1a0-afe3-4908-8cd8-57b78d89cef5"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:17:29Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:17:29Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt63090fcc62a458c135e2e0bf21c7fb052776912edf45eec146446be9-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-03T09:17:27+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:17:17Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://418e9b704dfdd22826f9c263d3c850ce3f05bcc2f8928ccfd824ae28c9895a54",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:28Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-03T09:17:27+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/28b88861-1d71-494a-8654-831f0ad2ad4f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:17:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "pyt63090fcc62a458c135e2e0bf0e2a4a01-deprecated-base-image-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "33317",
                "uid": "28b88861-1d71-494a-8654-831f0ad2ad4f"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:17:32Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:17:32Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt63090fcc62a458c135e2e0bf7793beb078bad6f17d5e8dd0f99c9024-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\", \"digests\": [\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:17:31+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:17:16Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2afefd06adb763d5382f310853c287a9c3e8db9b6e2eaea06faeee6ae30b84e8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:32Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\\\", \\\"digests\\\": [\\\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:17:31+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/ac43cc96-0f32-49e7-9b2f-6c465a7bea39",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:34:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "pyt817a9145db84110a5673aa1576ecda3d-coverity-availability-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "51537",
                "uid": "ac43cc96-0f32-49e7-9b2f-6c465a7bea39"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:35:25Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:35:25Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt817a9145db84110a5673aa1593880fdbb5be072b527a3fee70405a4c-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-03T09:35:21+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:34:08Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d9949f8661fdc6b39977bf2b530bd0ace1a90a93c057a0d1434eb746d08c2315",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:21Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-03T09:35:21+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:20Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/3457e03c-680a-4800-9086-d8b33a5e82cd",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:34:06Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "pyt817a9145db84110a5673aa1576ecda3d-deprecated-base-image-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "51539",
                "uid": "3457e03c-680a-4800-9086-d8b33a5e82cd"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:35:19Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:35:19Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt817a9145db84110a5673aa15a7cadd1455d14c1ae29dd47331c58db9-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\", \"digests\": [\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:34:24+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:34:06Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://126e0b5170718296716f07c2a9a4551deb5b162c5f591eccda6f60f760c783e6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:34:24Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\\\", \\\"digests\\\": [\\\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:34:24+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:34:17Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/72d8940c-7ac3-4fb7-bd93-53e79224db39",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:22:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check"
                },
                "name": "pytcaf7d76b7123591e85f7bf85261cd01d-coverity-availability-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "38622",
                "uid": "72d8940c-7ac3-4fb7-bd93-53e79224db39"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:23:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:23:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pytcaf7d76b7123591e85f7bf858521942c53ca8fbf7af784fa5a39fa43-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-03T09:23:00+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:44Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://92b0011e4ca7d1efcfd9bee8403f113d2c68d1707f1ef793f4592698c01f0ec1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:00Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-03T09:23:00+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:00Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/b6cf861e-8fa9-4009-ba59-69c5eb7b4118",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:22:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check"
                },
                "name": "pytcaf7d76b7123591e85f7bf85261cd01d-deprecated-base-image-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "40743",
                "uid": "b6cf861e-8fa9-4009-ba59-69c5eb7b4118"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:24:07Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:24:07Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pytcaf7d76b7123591e85f7bf85ade28b00aea1770296f36598bd31d00c-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\", \"digests\": [\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:24:07+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:42Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d26652efe5970c2e15fefe8a2e8e1bb657890ad136d3165e0cec7424a3664c49",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:24:07Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\\\", \\\"digests\\\": [\\\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:24:07+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:24:00Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/f87458be-48b8-4ecd-b636-c639d0e2a291",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:28:04Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "pytea62ebf86fc205eb5ccd02630778eac6-coverity-availability-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "44937",
                "uid": "f87458be-48b8-4ecd-b636-c639d0e2a291"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:28:22Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:28:22Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pytea62ebf86fc205eb5ccd02632369756fc82e175c31b3cba9a5b1316a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-03T09:28:19+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:28:05Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0854473de2e9e2ee0cdc3220d227d7e701eeeecccc399c9f2128459ba12d2815",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:19Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-03T09:28:19+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:19Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/9e71af09-cc62-4939-bd38-9916a15ffc97",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:28:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "pytea62ebf86fc205eb5ccd02630778eac6-deprecated-base-image-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "44690",
                "uid": "9e71af09-cc62-4939-bd38-9916a15ffc97"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:28:21Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:28:21Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pytea62ebf86fc205eb5ccd0263a78f0d7792210c542dbe2fc89e296caa-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\", \"digests\": [\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:28:17+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:28:03Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://df22ae16200cf2f9bbe08223693c640bf48e108cea7cdc7a9c2749ddec2e09df",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:17Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\\\", \\\"digests\\\": [\\\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:28:17+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:10Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-909fd0dfdb",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/9d5637b4-9e11-4bf2-b1f0-537c82af0ed4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:14:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-co63090fcc62a458c135e2e0bf0e2a4a01-prefetch-dependencies",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "30385",
                "uid": "9d5637b4-9e11-4bf2-b1f0-537c82af0ed4"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2d153916f7"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-ycsfib"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:14:19Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:14:19Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-co63090fcc62a458c135082737449443063a60b6befe963b546b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-03T09:14:04Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8ec36402d9c892322658e8dbe057c7a0fed1d70719524b3e42fbc814add8c081",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:14:12Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:14:07Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-619920aa29",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/6d17f416-2a0a-4c11-9099-d8d1f0812f6b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:31:05Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-co817a9145db84110a5673aa1576ecda3d-prefetch-dependencies",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "48518",
                "uid": "6d17f416-2a0a-4c11-9099-d8d1f0812f6b"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-29e0ba6b8a"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-aizxpa"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:31:16Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:31:16Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-co817a9145db84110a56f88e50092ac8535c9bec017dab77d397-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-03T09:31:06Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8157b79ab6136492529621e4f896b430d5ff395ed783561ab23e3a488de4a94f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:31:15Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:31:11Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-c4a4687d54",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/49a9ff7a-5c50-41df-89bf-e06b0cd25b9e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:24:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-coea62ebf86fc205eb5ccd02630778eac6-prefetch-dependencies",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "41423",
                "uid": "49a9ff7a-5c50-41df-89bf-e06b0cd25b9e"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ae2654979f"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-atayna"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:25:03Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:25:03Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-coea62ebf86fc205eb5c004d711b9f463026ce89f797fe9901c8-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-03T09:24:54Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6a964658a8049c896f4c18ef3a0f4993277a54f1093d3e8d5e2749730eb1d305",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:25:03Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:24:58Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/99917bd5-31fc-42af-ab3a-3ff93e2b8482",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:17:17Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-comp63090fcc62a458c135e2e0bf0e2a4a01-rpms-signature-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "33996",
                "uid": "99917bd5-31fc-42af-ab3a-3ff93e2b8482"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:18:15Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:18:15Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-comp63090fcc62a458c1717eee92b64b48027eaf2d075dd38aed-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\", \"digests\": [\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:18:14+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:17:20Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cf481ac059fb7a8cafdfc4858f5103fec43d271a9a5de6615075d1534e6c2550",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:18:13Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:32Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5951cf7a08a73f55c1a4ca8164b03231c0f94b2461216057b476a0ce11924e61",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:18:15Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\\\", \\\"digests\\\": [\\\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:18:14+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:18:14Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/ff289c41-30a2-4ac8-91c5-ddd7a7cd8b7a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:34:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-comp817a9145db84110a5673aa1576ecda3d-rpms-signature-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "53269",
                "uid": "ff289c41-30a2-4ac8-91c5-ddd7a7cd8b7a"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:36:11Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:36:11Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-comp817a9145db84110a780e0f338c4949583e855651c96cbfee-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\", \"digests\": [\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:36:10+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:34:12Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e05f6110dd41ce4af53327b96a5d6adf402eb2fc2676d3321ad867ed9a89e171",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:36:10Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:28Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://41c8dde9b442427fff2529c89565b9182d849225e438d341626ff993e90fde8b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:36:11Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\\\", \\\"digests\\\": [\\\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:36:10+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:36:10Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/296b7e88-9eeb-4131-abcc-6e290c177a25",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:28:04Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-compea62ebf86fc205eb5ccd02630778eac6-rpms-signature-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "45877",
                "uid": "296b7e88-9eeb-4131-abcc-6e290c177a25"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:29:32Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:29:32Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compea62ebf86fc205eb5e80d8cb47d847e24c8a09f61f8fd8ae-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\", \"digests\": [\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:29:10+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:28:08Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://70be0912ef58048cb86a1e9d911808ed4950ad2fdcde8a636342124c27354aad",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:29:10Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:26Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://42433b364283969ff2ac65d934c726c407917c37413510aadf83dfb12a25eafb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:29:11Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\\\", \\\"digests\\\": [\\\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:29:10+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:29:10Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-909fd0dfdb",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/8ab51407-572e-4e3b-8648-2af703f4d1aa",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:17:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-compo63090fcc62a458c135e2e0bf0e2a4a01-sast-unicode-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "33402",
                "uid": "8ab51407-572e-4e3b-8648-2af703f4d1aa"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2d153916f7"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:17:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:17:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compo63090fcc62a458cd1f9eba13592264f47e0b131ff70cf20-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:17:32+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:17:18Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4372564d1a272981f40df5038ac4ceba0a6263857514ea239a8b1559d41a76e4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:32Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:17:32+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:31Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e3addaa0596e74af39b42afac1be02a98fb19bef3326488a2e4466e8d58ae234",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:17:32+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:32Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-619920aa29",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/bec2d5a5-dd28-4c21-a812-75c03d8fb7ce",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:34:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-compo817a9145db84110a5673aa1576ecda3d-sast-unicode-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "51798",
                "uid": "bec2d5a5-dd28-4c21-a812-75c03d8fb7ce"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-29e0ba6b8a"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:35:32Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:35:32Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compo817a9145db84110460825b7a65f06777de405be8c000564-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:35:30+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:34:10Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3ba9415f2c475e3000a4e62d3f2f35c3724a6814e83dfaa29026a6f652007965",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:30Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:35:30+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://574eab5389e5c7de929011f408b02c6f647433aca673ce105248a58522faf530",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:32Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:35:30+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:31Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-c4a4687d54",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/ee3e7796-b18f-4792-a921-880acb6d0ab4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:28:04Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-compoea62ebf86fc205eb5ccd02630778eac6-sast-unicode-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "45846",
                "uid": "ee3e7796-b18f-4792-a921-880acb6d0ab4"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ae2654979f"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:28:54Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:28:54Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compoea62ebf86fc205e83a40a12a1d97b119687ab51d3743e6d-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:28:34+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:28:07Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://15d45b435f5c88c7f1a59fda087455c0019ae5c7c934a2eef5ad297aded9b387",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:34Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:28:34+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:31Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3b97b189a55fa777a210eafd21062a37df79219935e43dcf39ddb44ccad708a6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:35Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:28:34+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:34Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/f7fbc487-48fc-476e-843b-1d0b077f03b3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:28:04Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-b289z-apply-tags",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "44961",
                "uid": "f7fbc487-48fc-476e-843b-1d0b077f03b3"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:28:21Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:28:21Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-pull-request-b289z-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-03T09:28:07Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6616a98ce5eb7359917c39fd174de852d4946ef7794866ba952d6e81af0ff242",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:20Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:19Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                                "--digest",
                                "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-c4a4687d54",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/5d9076d3-e6a4-4ee8-b000-fb7c433d23c6",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:25:05Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-b289z-build-container",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "43697",
                "uid": "5d9076d3-e6a4-4ee8-b000-fb7c433d23c6"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ae2654979f"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:27:43Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:27:43Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-3cfd9163fd78f5578d49bf8a57d6bfc2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917@sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:ab0f0679a25dac96959aef14c148241a3d314eef120b8fe1b473e313b77f4f76"
                    }
                ],
                "startTime": "2026-07-03T09:25:05Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e89f7ea730d8ff5ec03fdb264aa7e621f8b35e5b53ecddc20b8ecffc4263c3fd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:25:52Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:25:12Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://eb10a31d48ea65f33633c5d302aee65d9035085c513800fa7e971dbbed30465c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:26:29Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917@sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:25:52Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2e60859b2a0ea57154630ba465a2dcb15eb877221a8bcb3613d324ffa4ea7c35",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:26:50Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917@sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:26:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://45173399e9e40303e98f646905741d7a56e2d2a46930d6d57f609a22f4fd6864",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:14Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917@sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:26:50Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://16b525ca8f9cdc26f1f6fb0ac0bceb32c1b39354ed4cdd1c388ff4d17fe2920b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:42Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917@sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:ab0f0679a25dac96959aef14c148241a3d314eef120b8fe1b473e313b77f4f76\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:14Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-28wip7-on-pull-request-b289z-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/11396134-70f2-4de9-9f4e-aee48aaa5253",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:27:43Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-b289z-build-image-index",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "43704",
                "uid": "11396134-70f2-4de9-9f4e-aee48aaa5253"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917@sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:28:01Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:28:01Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-5c7a47678ce93c71207a7689426ee81a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    }
                ],
                "startTime": "2026-07-03T09:27:43Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://380e6076d6edd42c1eb1a55f78f6dff39c6502d0c3d24a93360f1b0d009c1d2d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:57Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:54Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://97fe419b78d73fc147504024bfbc8c393b8b2b1a7639993049de7ff017079405",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:27:58Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:58Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4a88e4884f2622fd0f1f95a6b4a821e8e62ba35a036289724d9bae0f7bdccba1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:01Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:27:58Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917@sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-28wip7-on-pull-request-b289z-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-28wip7-on-pull-request-b289z-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/cdfb1214-430f-4e6a-951e-5bfcbb8fb241",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:28:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-b289z-clair-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "47367",
                "uid": "cdfb1214-430f-4e6a-951e-5bfcbb8fb241"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:29:57Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:29:57Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-pull-request-b289z-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\", \"digests\": [\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\":\"sha256:07182acc4d5bfdd73b4eeb1fdaa0fa85389031f3f00336a3a0321ac4d1a7ca7a\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:29:56+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:28:03Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://10cbe21f514f8232068c6efc15465a7939989d6c7279efbacf84f5e1683d6ecf",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:26Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://010ac7fa8d12c69b812d0fadf28ed0819fe312412916f334ede13d187e1e7fc1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:29:25Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:26Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5c916a7a9c0990fe20e3dadf7641a54f80c5043b41ea8b19f5f6bc3873f6d404",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:29:27Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:29:25Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://305c0abd0c8eaa66e101b2822e62942f71742419764e5a7e25e65affc5a6a10e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:29:56Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\\\", \\\"digests\\\": [\\\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\\\":\\\"sha256:07182acc4d5bfdd73b4eeb1fdaa0fa85389031f3f00336a3a0321ac4d1a7ca7a\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:29:56+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:29:28Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/6be75533-fc0a-4be6-880c-124127b4a0aa",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:28:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-b289z-clamav-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "45759",
                "uid": "6be75533-fc0a-4be6-880c-124127b4a0aa"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:29:32Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:29:32Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-pull-request-b289z-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\", \"digests\": [\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783070956\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-03T09:28:05Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:9b2b049119587b5e4e09297ce119396c17717381bbcd1a89041fdf3216073d36",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c07e5885f539f32f226a390b0cf0b796718ebc38b1ac60e8426070ae1ba83d03",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:29:16Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\\\", \\\"digests\\\": [\\\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783070956\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://974cecc17eccf0cf238453605b3f9a7807898ea7e29c0e27b1c77ebdc97e185b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:29:20Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\\\", \\\"digests\\\": [\\\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783070956\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:29:17Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-c4a4687d54",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/e0cf9679-83e2-4483-ad28-40448eb97dc0",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:24:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-b289z-clone-repository",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "41387",
                "uid": "e0cf9679-83e2-4483-ad28-40448eb97dc0"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ae2654979f"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-atayna"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:24:49Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:24:49Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-1b03233d954b8fbb28b615b7b1f768f7-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783070641"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "52eb37d"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-03T09:24:42Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://97bbf484906d3662606bfe5b25b449031a671b14106988b9b4c898c8fa78eac8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:24:48Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783070641\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"52eb37d\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:24:47Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://47c9afef634d04d3423b85cc0e615be54430bbac3a4f429be9fd443025bd5183",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:24:48Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783070641\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"52eb37d\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:24:48Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/bcf6685c-a1ac-4150-b4e4-ae483a9ef508",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:24:34Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-b289z-init",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "41322",
                "uid": "bcf6685c-a1ac-4150-b4e4-ae483a9ef508"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:24:38Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:24:38Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-pull-request-b289z-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-03T09:24:35Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://de8a7f246a23ea938be61a1bf136a6b6b17c829ec518d57e72ee0f32aa55ad69",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:24:38Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:24:37Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-c4a4687d54",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/eea3cde5-b22c-4052-93e2-d3974ec12479",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:28:04Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-b289z-push-dockerfile",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "44979",
                "uid": "eea3cde5-b22c-4052-93e2-d3974ec12479"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ae2654979f"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:28:23Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:28:23Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-8c713e9a830ffb7e33c9fbd3b32317b4-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:cdb18558f3d4406d52255fe50a53a2b4d4a1e56460edd5b9fc257f4fb2797455"
                    }
                ],
                "startTime": "2026-07-03T09:28:07Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://df13c50ec2a3b02c81370a8bbbd7f5b26ecfe7f8a191564e55c0b09cf96fca02",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:22Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:cdb18558f3d4406d52255fe50a53a2b4d4a1e56460edd5b9fc257f4fb2797455\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:22Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                                "--image-digest",
                                "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-c4a4687d54",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/c69b6228-43bd-43da-a183-2b06616ff53d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:28:04Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-b289z-sast-shell-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "44938",
                "uid": "c69b6228-43bd-43da-a183-2b06616ff53d"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ae2654979f"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:28:31Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:28:31Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-15e0f8fd52689a881f483303a6cf7bb8-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:28:25+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:28:06Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://75f8b84c72a6ea907f0ef3b16e9f6a26f54b92e2acb4e03906b16673b4bb0076",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:26Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:28:25+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:24Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6998e99e7a824112a40c8b14efb2d08a91f4979afa3c7edd5db7a5700a56ab70",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:27Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:28:25+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:26Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-c4a4687d54",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/37ae61f6-15fd-412d-96a2-bf364379a78e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:28:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-b289z-sast-snyk-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "44833",
                "uid": "37ae61f6-15fd-412d-96a2-bf364379a78e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-ae2654979f"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:28:24Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:28:24Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-b5ae7ff2031eaaf873ed532df24acb9c-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-03T09:28:23+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:28:04Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a76fb9176169c7d60c77674ce8b9edef09ab6aeaf7b578e1d30720bbd85b46b9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:23Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:28:23+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:21Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://be22779737f95f3f1dbbb23ae975013bfbdc87600e53cb629a08fde77a2aa9da",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:23Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:28:23+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:23Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/565398b1-6eee-4800-8156-175a9e61fae7",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:17:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-component-28wip7-on-pull-request-nq6fx-apply-tags",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "33428",
                "uid": "565398b1-6eee-4800-8156-175a9e61fae7"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:17:29Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:17:29Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-pull-request-nq6fx-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-03T09:17:19Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f5ebbe949b5d30b65fa79d4895a5eb712e0174555aa789cef2819629ccbe3773",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:28Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                                "--digest",
                                "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-909fd0dfdb",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/8a549773-dd35-40ba-9568-304ddd016739",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:14:20Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-component-28wip7-on-pull-request-nq6fx-build-container",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "32434",
                "uid": "8a549773-dd35-40ba-9568-304ddd016739"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2d153916f7"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:17:05Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:17:05Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-8a27080c1fb9bb019b3e984ce8da7c5c-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d@sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:20c29469db240c861b36091a172a5515b5069272e38be8a863e8c8eaefdf3306"
                    }
                ],
                "startTime": "2026-07-03T09:14:20Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://388f30c9c456ba768b17c568bc239d3554199d0eb075f2e4a3e12cefee7e820b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:15:02Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:14:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://23856cc19563cf918b5734a1c43b35d47d4ced989016b4f77adca39c0fef4284",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:15:41Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d@sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:15:03Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://786c1d2c80533b7794f946b5b9c203a50cc54429280e8353bb36b8882d16fb20",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:16:03Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d@sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:15:41Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fc4d413bacf2210f53ec911a1cbc9fb3f49eac83ce08241a206318fb40516af5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:16:26Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d@sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:16:03Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9263e2d9f0eed533485b1a3d657dc525f025f196f062e1c2f2b8d2e8f96b6589",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:04Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d@sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:20c29469db240c861b36091a172a5515b5069272e38be8a863e8c8eaefdf3306\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:16:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-28wip7-on-pull-request-nq6fx-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/2156417c-0ebf-427c-9961-b0515140af9a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:17:05Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-component-28wip7-on-pull-request-nq6fx-build-image-index",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "33250",
                "uid": "2156417c-0ebf-427c-9961-b0515140af9a"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d@sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:17:16Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:17:16Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-33c2f8c24486efdeebae8d1d59643b7a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    }
                ],
                "startTime": "2026-07-03T09:17:05Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://da9e62a191a24f68a873b98d3923d947fcb66946823b2a5962c3f465db67d601",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:12Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:10Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://88eabae155d630cfb15cfcae1c2d10bc4575cb0f1c68b0f22295dd702253a7cb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:13Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:13Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f555f1a3eb1ac62bdd832fed77612aab0144265124747ab34a9fc4cef6976ece",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:15Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:13Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d@sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-28wip7-on-pull-request-nq6fx-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-28wip7-on-pull-request-nq6fx-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/4f3c6dc7-257f-4fe0-8da2-87274175224a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:17:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-component-28wip7-on-pull-request-nq6fx-clair-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "34547",
                "uid": "4f3c6dc7-257f-4fe0-8da2-87274175224a"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:18:39Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:18:39Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-pull-request-nq6fx-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\", \"digests\": [\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\":\"sha256:cabce53a133b09ff9e10595f0c550b934321c6bdcbfe3428f77e72f9df58b249\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:18:38+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:17:16Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5d43781072a0d7c2147c897e77fa54b239691c8e69babb3128c8b7aa2233a335",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:34Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:30Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://73668a2089bc8ad4c3f4f329f9ff87e2e4e400d2636cea33e09f2cccb5d57bcf",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:18:08Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:35Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9fa3bd35369dc3653cee97d238961921ec1637ba25631d7db6ef5d9c20ebd358",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:18:10Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:18:08Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://56dab8b11471c8003aa8ccc578858b36450363df087619aac3a799572d6d30e8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:18:38Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\\\", \\\"digests\\\": [\\\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\\\":\\\"sha256:cabce53a133b09ff9e10595f0c550b934321c6bdcbfe3428f77e72f9df58b249\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:18:38+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:18:11Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/11206a34-9d57-4188-a956-76661540eb9d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:17:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-component-28wip7-on-pull-request-nq6fx-clamav-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "34000",
                "uid": "11206a34-9d57-4188-a956-76661540eb9d"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:18:22Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:18:22Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-pull-request-nq6fx-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\", \"digests\": [\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783070299\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-03T09:17:17Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:9b2b049119587b5e4e09297ce119396c17717381bbcd1a89041fdf3216073d36",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://69ebff6262141411ead2710407d51ba7de6e5a01643cb55c3381a0e7d1ff9707",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:18:19Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\\\", \\\"digests\\\": [\\\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783070299\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f4bbe7e4d70b1ad0c3cd43c764890095ce268488f2c1c0990a84e7520909f6be",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:18:21Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\\\", \\\"digests\\\": [\\\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783070299\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:18:19Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-909fd0dfdb",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/45c084a0-cb85-4876-9dfd-da0dc0a70ce9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:13:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-component-28wip7-on-pull-request-nq6fx-clone-repository",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "30288",
                "uid": "45c084a0-cb85-4876-9dfd-da0dc0a70ce9"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2d153916f7"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-ycsfib"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:14:00Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:14:00Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-6873c7039f084ec3145ebe0b67fe7236-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783070001"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "c4be1a4"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-03T09:13:54Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://21d1206f93d4d2b5de55d772056f861b68b7be3d0ce636f988353d6d2144869b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:13:59Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783070001\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"c4be1a4\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:13:58Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6a2c3464813cba459d0ceb3ac93f2679e874a33fbbd507e37328e637651f5879",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:14:00Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783070001\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"c4be1a4\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:14:00Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/c082f32a-d83a-4609-ad45-06db6d280f35",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:13:48Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-component-28wip7-on-pull-request-nq6fx-init",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "30086",
                "uid": "c082f32a-d83a-4609-ad45-06db6d280f35"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:13:52Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:13:52Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-pull-request-nq6fx-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-03T09:13:48Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9279d53d6ea6a8d62314b7ccb72c379a67db6c5c1bb9ba155407be83c59513ad",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:13:52Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:13:52Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-909fd0dfdb",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/e842dfc2-05fe-4f80-84bc-c7276333c80c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:17:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-component-28wip7-on-pull-request-nq6fx-push-dockerfile",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "33438",
                "uid": "e842dfc2-05fe-4f80-84bc-c7276333c80c"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2d153916f7"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:17:33Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:17:33Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-2e163026851ba571b94e315a0515b46b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:8986ad9109dabbfc863df1b9c7c22ae4dfc8d970a73774a52643c38fbf3f694e"
                    }
                ],
                "startTime": "2026-07-03T09:17:19Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2211d162e47ed0559edcd74fd36ba1c1961242829ce76cce8f17968d47d1af6b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:32Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:8986ad9109dabbfc863df1b9c7c22ae4dfc8d970a73774a52643c38fbf3f694e\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:31Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                                "--image-digest",
                                "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-909fd0dfdb",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/f713a446-f095-4bb9-ae18-4c87a9c2573b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:17:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-component-28wip7-on-pull-request-nq6fx-sast-shell-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "33400",
                "uid": "f713a446-f095-4bb9-ae18-4c87a9c2573b"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2d153916f7"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:17:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:17:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-3a9d27207d0a0494c3d97fb15c39acb7-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:17:32+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:17:18Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://044a77f9878cfb6f995586c1f68ca76c4b9b9b2ccff5f6d7cd91e34620024450",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:32Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:17:32+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:31Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://84a04b7ab3f96ad4c934598a31c4211875f05abb260193f7973dac53a50b1b9d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:34Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:17:32+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:32Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-909fd0dfdb",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/30783db5-9d8b-4b38-b0c2-850304d72619",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:17:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-component-28wip7-on-pull-request-nq6fx-sast-snyk-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "33327",
                "uid": "30783db5-9d8b-4b38-b0c2-850304d72619"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-2d153916f7"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:17:31Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:17:31Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-426617a0d6745cccd7800fd715cb6440-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-03T09:17:30+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:17:17Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://09f5febead3ee29c8ecca56c3d5ae7345e83e8f2a8216cc8ef20dbdb9d912e8c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:30Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:17:30+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:28Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f0230ad79474e13faedf84b0f9a85c148cabf5a63d22977f79a5b589f67454aa",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:30Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:17:30+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:30Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/44d2a070-6bee-400e-8474-5318055111ac",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:34:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-s24dt-apply-tags",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "52129",
                "uid": "44d2a070-6bee-400e-8474-5318055111ac"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:35:29Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:35:29Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-pull-request-s24dt-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-03T09:34:11Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c3974ff3c424d8fc48671b3c24cd5cf87353a24f3c78062e6c0120d8ea64e9eb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:27Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:26Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977",
                                "--digest",
                                "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-619920aa29",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/6876491e-96db-420f-b50a-8529757dee1d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:31:17Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-s24dt-build-container",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "49609",
                "uid": "6876491e-96db-420f-b50a-8529757dee1d"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "199efd7eac382257fdf540ad73856a709ce62977"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-29e0ba6b8a"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:33:51Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:33:51Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-336105dbf313994282e3fddf876bcfd8-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977@sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:93e773399efd6bd67ffa1551229b824ae5761461ecab057a787e84846f07ec13"
                    }
                ],
                "startTime": "2026-07-03T09:31:17Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://995d7bb926a1cdc920e0a72ffec8d4f9cbf5fbf814d5b845ac05c487e01ed01c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:32:04Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:31:23Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://76e6f17faa83fe482142963546cda6a4088efe3a510deba6ea67138b7812a399",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:32:39Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977@sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:32:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3d4f566bb9501f185414d9a3ac03df83dbe93f7815fdeaaff894b2a9d863b0c3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:33:01Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977@sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:32:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://760e46f14b5d4e508b65cf67ba43253daa29232245ed0f02debb274365633311",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:33:24Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977@sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:33:02Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b78ea2be9f4c6e7a6c6da01868b32038c6b374962ed4e08c1c4967bf42a052f6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:33:50Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977@sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:93e773399efd6bd67ffa1551229b824ae5761461ecab057a787e84846f07ec13\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:33:24Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "199efd7eac382257fdf540ad73856a709ce62977"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-28wip7-on-pull-request-s24dt-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/7cb8efed-ecd3-48da-93ff-0a69fd0f9ef4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:33:51Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-s24dt-build-image-index",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "50556",
                "uid": "7cb8efed-ecd3-48da-93ff-0a69fd0f9ef4"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "199efd7eac382257fdf540ad73856a709ce62977"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977@sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:34:05Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:34:05Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-01213788eaeab6af0f7240f92e76c311-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    }
                ],
                "startTime": "2026-07-03T09:33:51Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d6155f955e45bbd73cf0107d3b7638d3b064994b5b82e0dcf69d995f7d546d52",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:33:59Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:33:57Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c63112c4a7a0fe1affdd4637fd58e5258bacae34345b9df988cb091ec5b5269f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:34:00Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:34:00Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a7a4df0953e4e925b0e6280e54deefefb87f4635c98815e8c7baaaccc2eba80e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:34:04Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:34:00Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "199efd7eac382257fdf540ad73856a709ce62977"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977@sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-28wip7-on-pull-request-s24dt-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-28wip7-on-pull-request-s24dt-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/da5d5b10-ac1d-4017-8bd7-ece51973f924",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:34:06Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-s24dt-clair-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "52327",
                "uid": "da5d5b10-ac1d-4017-8bd7-ece51973f924"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:36:04Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:36:04Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-pull-request-s24dt-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\", \"digests\": [\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\":\"sha256:c12ef790ce9e80a01552656a180a912e619820487d838859011b1701f8ae4a6a\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:36:03+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:34:06Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://401c230f25e71347573072729ada185374f6f74bfb394815f1e566274154ea43",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:34:41Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:34:37Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a40b43a446771c0f71eff506781c90185c331b9a26fc3f233fd83ccbf5e0278f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:35Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:34:41Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5e456021cd99b0e044442aab40c964042d8c62f251115bac185720f48084dc44",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:38Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:36Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://dfd3a5cef8eeb5ab59a91c423d5c0b6cc02367d5ba4722cd0ce8fef8f8a13a5c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:36:03Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\\\", \\\"digests\\\": [\\\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\\\":\\\"sha256:c12ef790ce9e80a01552656a180a912e619820487d838859011b1701f8ae4a6a\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:36:03+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:39Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/ed24afc7-1d96-4426-a40c-ab402eaa9325",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:34:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-s24dt-clamav-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "52693",
                "uid": "ed24afc7-1d96-4426-a40c-ab402eaa9325"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:35:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:35:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-pull-request-s24dt-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\", \"digests\": [\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783071344\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-03T09:34:08Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:9b2b049119587b5e4e09297ce119396c17717381bbcd1a89041fdf3216073d36",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b0209b7a88de617f1b3290f005091123639bafebfa5e8e722c54a55ed195ab94",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:44Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\\\", \\\"digests\\\": [\\\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783071344\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:34:36Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d8c68680f0d9e4a0b90c28d19aa5dccbbfbf99f5112c93e188ba35ba46ed18f6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:47Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\\\", \\\"digests\\\": [\\\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783071344\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-619920aa29",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/bfcae772-2158-444a-9280-5fda161d5bd3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:30:56Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-s24dt-clone-repository",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "48380",
                "uid": "bfcae772-2158-444a-9280-5fda161d5bd3"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "199efd7eac382257fdf540ad73856a709ce62977"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-29e0ba6b8a"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-aizxpa"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:31:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:31:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-8a47bfa6a7ab92c33607410ac878db48-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "199efd7eac382257fdf540ad73856a709ce62977"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "199efd7eac382257fdf540ad73856a709ce62977"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783071025"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "199efd7"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-03T09:30:56Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://34c0234df1a67ad8678762436965977fb04cc9f74e3587eea8633079318dcd70",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:31:01Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783071025\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"199efd7\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:31:00Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cfdacf0f6ada01f47d72e2bd9b01b473d4a6504312e6518dba548652ff46d42d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:31:01Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783071025\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"199efd7\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:31:01Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "199efd7eac382257fdf540ad73856a709ce62977"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/5724688b-85e2-476d-9259-de8ba8d928a3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:30:48Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-s24dt-init",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "48370",
                "uid": "5724688b-85e2-476d-9259-de8ba8d928a3"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:30:53Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:30:53Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-pull-request-s24dt-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-03T09:30:49Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://074687482553dbb111671aa177639f0f9f797dd91bcfcc8bc9dcc84553bd7714",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:30:52Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:30:52Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-619920aa29",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/3370441b-4826-41b3-bc6d-c5021d171236",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:34:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-s24dt-push-dockerfile",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "51574",
                "uid": "3370441b-4826-41b3-bc6d-c5021d171236"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-29e0ba6b8a"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:35:30Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:35:30Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-e13122814d8366911d08d25deac64552-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:8bab45fce830d56a30309a7f0101d2bc002f5c0173280310f54d1473e61083c9"
                    }
                ],
                "startTime": "2026-07-03T09:34:12Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c0c3608057da6ca1168366c120af16c51be48b1b33b8e9e032951fe8e6d9aaa8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:29Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:8bab45fce830d56a30309a7f0101d2bc002f5c0173280310f54d1473e61083c9\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:28Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977",
                                "--image-digest",
                                "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-619920aa29",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/be30a6c4-73bb-4775-bfe9-e83af0501ca6",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:34:07Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-s24dt-sast-shell-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "51652",
                "uid": "be30a6c4-73bb-4775-bfe9-e83af0501ca6"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-29e0ba6b8a"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:35:33Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:35:33Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-38db0ad33a4c3cdec92dc03de6e3cf68-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:35:31+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:34:10Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d15df4dffe4d31de29b2e3d3cfca11ad14256073733f69fd508ee4e014d47183",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:31Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:35:31+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:30Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b5e1166473d75573147c0ca4a96c680cb66f47d429b165eb3f877ef5ed718ca4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:35:31+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:32Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-619920aa29",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/5d150bad-5c5b-4237-af46-ad274adb73f8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:34:06Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull-request-s24dt-sast-snyk-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "51577",
                "uid": "5d150bad-5c5b-4237-af46-ad274adb73f8"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-29e0ba6b8a"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:35:30Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:35:30Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-0482efd2a517d603162e72aac3a05ab1-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-03T09:35:29+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:34:08Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://90f5608dce62edbd71d0427a137ae327458054f55cbf9c1389b5569039cd18a5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:29Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:35:29+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:27Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://701668acbc43d2b229a58afaaae063824435356c56cf6d74ea7915de08f0a2b0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:30Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:35:29+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:29Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/commit_sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aizxpa",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-s24dt",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d/records/393549c4-4fc6-489b-a545-ff4c40fd289f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"199efd7eac382257fdf540ad73856a709ce62977\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/e11c6258-b1db-4160-a206-8241e80c155d",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-v9b4py-on-pull-request-rxqst is running for component go-component-v9b4py, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:34:06Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84970971541",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "199efd7eac382257fdf540ad73856a709ce62977",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-s24dt",
                    "tekton.dev/pipelineRunUID": "e11c6258-b1db-4160-a206-8241e80c155d",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull0b0e9a6ecbcb2d6a6352ad96fd3aec14",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-s24dt",
                        "uid": "e11c6258-b1db-4160-a206-8241e80c155d"
                    }
                ],
                "resourceVersion": "53055",
                "uid": "393549c4-4fc6-489b-a545-ff4c40fd289f"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:35:51Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:35:51Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-4fa16043588dc8718abb2c44cc5921d7-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\", \"digests\": [\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783071349\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-03T09:34:07Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://f3ef7509c193433a033d8fb21438b026d29d61263aa5cef05f1c992ee17bde58",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:34:38Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:34:37Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://e9405b9c88d1279048cd6741a2c23a5491320ef50aabd9831998daf7d66c769f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:34:39Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:34:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://20f555ef16e9a65d2a9d2331dc415f253896953d2b19d95f938142f246118c60",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:34:39Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:34:39Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5ef5b7662bf55175e7998354cda545d3b9a66cb6a0925003f91be7ceb10f8443",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:48Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:34:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\", \"digests\": [\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783071349\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://4987d45b7e62889aa3fdec163c997ccf4ad8d4f7eb5cea01bf7b0a310ebce90c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:49Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977\\\", \\\"digests\\\": [\\\"sha256:e824c722bba731dcac83c2a117cbe595b9395de4cd24320d9fed77da75241fcf\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783071349\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:49Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783071349\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://48eee4e4b615df9bf6b43208fabb94444817dca8f2e6b33333a1ae21c8f3de8c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:35:50Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783071349\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:35:49Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-199efd7eac382257fdf540ad73856a709ce62977"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/commit_sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "build.appstudio.redhat.com/pull_request_number": "22774",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-atayna",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-b289z",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-u2ffvk",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e/records/9f745e74-6a3f-423c-9cb8-c5b229c7baef",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"52eb37d0bb8d37e5becf0e76a3e07fe42166f917\",\"eventType\":\"pull_request\",\"pull_request-id\":22774}",
                    "results.tekton.dev/result": "group-i4dp/results/5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR konflux-test-integration-clone-ld7t88-on-pull-request-9np5w is running for component konflux-test-integration-clone-ld7t88, waiting for it to create a new group Snapshot for PR group pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-u2ffvk",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:28:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84969855127",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22774",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "52eb37d0bb8d37e5becf0e76a3e07fe42166f917",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-b289z",
                    "tekton.dev/pipelineRunUID": "5e2379c4-9470-44ab-bf34-da72dcf9436e",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "0dda5bad95bb27c3bb7025f6aa35488f92c3b12611418e1b317ec2a3984bb0"
                },
                "name": "python-component-28wip7-on-pull4ff9044cb0fbaf82859277ccbe507339",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-b289z",
                        "uid": "5e2379c4-9470-44ab-bf34-da72dcf9436e"
                    }
                ],
                "resourceVersion": "45696",
                "uid": "9f745e74-6a3f-423c-9cb8-c5b229c7baef"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:29:32Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:29:32Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-daf23efdaf7ef3b8a222d711cdeccae3-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\", \"digests\": [\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070967\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-03T09:28:04Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://f2008552dc89009cf80ee15dc9460bb073c4792e0cda907c0548d03ea346f482",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:33Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:32Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://58b4f623f7fbe3a550294d02bcb0d555a3e09a33880d14307d16a7ff2f49f89c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:34Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b3731b3e45938a64e60263fc4b8eaf90ae12550e9d175f54036acb3bdfda0a46",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:28:34Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:34Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5ad8a9409bd6f3b03845ba2d81541cd4613be4969a2a7fec577de509738ece0e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:29:27Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:28:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\", \"digests\": [\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070967\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://8770dea85a1734e0d23153a33cd8ee04fa35c6a26a3114b0eb83eb0bf533adf7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:29:28Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917\\\", \\\"digests\\\": [\\\"sha256:f7a5a8f01ef65e9be3fa5efbea98ef7aeca8268036c507abdb96d42c33974edc\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783070967\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:29:27Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070967\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://aef2b687049b182d95cf61f74c425cd9c28b693326d74c4d33bf012346a12372",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:29:29Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783070967\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:29:28Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-52eb37d0bb8d37e5becf0e76a3e07fe42166f917"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/commit_sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "build.appstudio.redhat.com/pull_request_number": "22773",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ycsfib",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-pull-request-nq6fx",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-28wip7",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6/records/0e28a3aa-670b-4829-9929-91041275be82",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\",\"eventType\":\"pull_request\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-28wip7",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:17:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84967978960",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-pull-request-nq6fx",
                    "tekton.dev/pipelineRunUID": "d0903d73-a704-4437-bb2a-90c56c6912d6",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "258679abe19d5d494ae31bf8378944fc84231aac62b193a6d81f2ac7866fe4"
                },
                "name": "python-component-28wip7-on-pulla20965fc48fa34938bc370064de13a40",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-pull-request-nq6fx",
                        "uid": "d0903d73-a704-4437-bb2a-90c56c6912d6"
                    }
                ],
                "resourceVersion": "34016",
                "uid": "0e28a3aa-670b-4829-9929-91041275be82"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:18:23Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:18:23Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-8b3d614ba95620eefde11340ba0b19b5-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\", \"digests\": [\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070301\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-03T09:17:16Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://d81b0c26144c1546a7f63a3ac4ac00f4edae47e7633e295a5b0e68a11ae1a70b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:32Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:31Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://22b521bcf7a85fd3db453a89892dcdb110ee976203365b8fb375effd84784a43",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:32Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:32Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ac1f9f6e042aa6c1890f6a3bc338b07ee18c8e56af131f630ecd220454ece9b8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:17:33Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:33Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5cc0a05ecddc94d5370b6fc91d2b6397ca670c07bd9ac1132dacf3ea1519e598",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:18:21Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:17:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\", \"digests\": [\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070301\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://e707ae7ff9a7cd9e0462979263e58276ec2c1bfbe3ad220d0fe18fd95f276aa7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:18:21Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d\\\", \\\"digests\\\": [\\\"sha256:5a5721b9eae05def7cc1d5e9889e141ec5eabf89db373fccbc6512827f5524b4\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783070301\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:18:21Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070301\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://2cd37e97ea18e94cf6a0bf1981e5cdc5251f26626c0aa9a08526e8301de67b5d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:18:22Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783070301\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:18:22Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:on-pr-c4be1a4f5bd75e4ecda7417485de8f74c38d7e4d"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/e34651e0-f08e-4647-87b9-3dfc19ea35df",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:22:43Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags"
                },
                "name": "python-component-28wip7-on-push-j7m22-apply-tags",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "38726",
                "uid": "e34651e0-f08e-4647-87b9-3dfc19ea35df"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:23:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:23:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-push-j7m22-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-03T09:22:47Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d9ee31be0258fe7062b0ea233c483bbdda732dd4d39dc98876d3ca5d427e85be",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:00Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:58Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                                "--digest",
                                "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a76cdb67a0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/e575726f-91b4-44dc-a4e8-a5223ed3f360",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:19:59Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah"
                },
                "name": "python-component-28wip7-on-push-j7m22-build-container",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "38115",
                "uid": "e575726f-91b4-44dc-a4e8-a5223ed3f360"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": ""
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-92e07960d8"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:22:26Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:22:26Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-push-j7m22-build-container-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1@sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:d6fd882f3f689c966bbda45694c1c7b2d306abf61ca3a8d34588010eaa537eb9"
                    }
                ],
                "startTime": "2026-07-03T09:20:00Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://272496c21b71bab19d51e1b1bab0cd73792a73afb9a7178639b49865b3511fc4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:20:36Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:20:07Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c3113380c749d5eaa71802eadec169e4b11b86838fd39f6171fea1d165bad538",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:21:11Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1@sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:20:37Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://01a9e7a616eecc9ee57dba4a65c4016c56999e4754500583326be8cf52340fee",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:21:33Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1@sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:21:12Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6a009dcdd47ac9c38b2ca97c0565c198b1963adf20e2880925f6d52a9cf3ae1c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:21:57Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1@sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:21:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1dc1e4ea83625311b5d5a904d67dcccdebaba617c78207f037642fe7f4b1d56e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:24Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1@sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:d6fd882f3f689c966bbda45694c1c7b2d306abf61ca3a8d34588010eaa537eb9\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:21:57Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-28wip7-on-push-j7m22-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/742da578-6cf4-4738-b89e-4619e4f6d492",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:22:27Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index"
                },
                "name": "python-component-28wip7-on-push-j7m22-build-image-index",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "38111",
                "uid": "742da578-6cf4-4738-b89e-4619e4f6d492"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": ""
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1@sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:22:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:22:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-push-j7m22-build-image-index-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    }
                ],
                "startTime": "2026-07-03T09:22:27Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://596f5a0dae33f42350b0f984a4dc549c43020f24094d2ed9259be3aaa368b8f8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:36Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5671888d6681e3735fd781bf666e05d303f3867fb0878bad7b81aed18b838bd7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:36Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:36Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fa0c8c674f212bb106a47140de5436d9f5c08eb3b430b73fd9558052578266eb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:22:39Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:22:37Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1@sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-28wip7-on-push-j7m22-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-28wip7-on-push-j7m22-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/e2d9e1d7-be91-40c3-b317-13192039dc1f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:22:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan"
                },
                "name": "python-component-28wip7-on-push-j7m22-clair-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "40841",
                "uid": "e2d9e1d7-be91-40c3-b317-13192039dc1f"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:24:12Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:24:12Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-push-j7m22-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\", \"digests\": [\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\":\"sha256:9dd1766ff54ecd268ab61a0f723df91f362766a53f5f53cc03670b406b110126\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:24:11+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:42Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a62a9728f4e43f76275344c5a99355009bf0f2c2e73671d28758328ffac3380f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:04Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:00Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a276977e63ffb74f82a7a9752ca0d621351bc10e6b26bdaec8e283949dfaa1aa",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:42Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:05Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6630c9a22ca6dd5984b38e94ea00501eca1c2645856c4b58aa3a490e69409cb5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:45Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a670a812e6020e3cbefddbbcd37cf84b5d342a27dea84a43f67fef2a2efcfd3b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:24:11Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\\\", \\\"digests\\\": [\\\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\\\":\\\"sha256:9dd1766ff54ecd268ab61a0f723df91f362766a53f5f53cc03670b406b110126\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:24:11+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:46Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/2be14b43-e824-42fc-b1b8-42231d6c2b39",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:22:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan"
                },
                "name": "python-component-28wip7-on-push-j7m22-clamav-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "39547",
                "uid": "2be14b43-e824-42fc-b1b8-42231d6c2b39"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:23:57Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:23:57Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-push-j7m22-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\", \"digests\": [\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783070635\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:44Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:9b2b049119587b5e4e09297ce119396c17717381bbcd1a89041fdf3216073d36",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fb452472247f198f6f1c7472fdbe74ff04c8dbb2a213de320adcbd255ac1efc6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:55Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\\\", \\\"digests\\\": [\\\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783070635\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:03Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fdcd9296d3af8de5c3afe67f28e92647822f88f105dc7fa7f47238a91c3f88f1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:57Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\\\", \\\"digests\\\": [\\\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783070635\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:55Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a76cdb67a0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/e7171f16-34ca-4548-8deb-270d133ba5d2",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:19:39Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone"
                },
                "name": "python-component-28wip7-on-push-j7m22-clone-repository",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "35526",
                "uid": "e7171f16-34ca-4548-8deb-270d133ba5d2"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-92e07960d8"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-lqqecl"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:19:45Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:19:45Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-push-j7m22-clone-repository-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783070346"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "a51959f"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-03T09:19:40Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://705ec9c93c86e63c6c0fae25383653e8206a4acd7c4339b6a9e32511d89f5de0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:19:44Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783070346\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"a51959f\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:19:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a10bf0ecba4903133e86370249c74726c30f57909e093664a4f5ba5b5ee9aae2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:19:45Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783070346\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"a51959f\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:19:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/50b75b47-6855-4009-9056-f157d827b809",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:19:32Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init"
                },
                "name": "python-component-28wip7-on-push-j7m22-init",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "35275",
                "uid": "50b75b47-6855-4009-9056-f157d827b809"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:19:35Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:19:35Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-push-j7m22-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-03T09:19:33Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a783775f9c9e05e0c6d7a0195342e722f82df883ba039c841ae9fa8288247981",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:19:35Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:19:35Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a76cdb67a0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/c9b1f2e4-19af-4e5d-a07d-c5c3577bc7b0",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:19:48Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies"
                },
                "name": "python-component-28wip7-on-push-j7m22-prefetch-dependencies",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "35736",
                "uid": "c9b1f2e4-19af-4e5d-a07d-c5c3577bc7b0"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-92e07960d8"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-lqqecl"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:19:57Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:19:57Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-push-j7m22-prefetch-dependencies-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-03T09:19:49Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e2c84726126a28df94c73f279847e4750aadadb745b3ff313516f01248a88e73",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:19:57Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:19:52Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a76cdb67a0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/b5c0d1c4-5019-472c-90d3-4cdabc2609df",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:22:43Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile"
                },
                "name": "python-component-28wip7-on-push-j7m22-push-dockerfile",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "38743",
                "uid": "b5c0d1c4-5019-472c-90d3-4cdabc2609df"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-92e07960d8"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:23:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:23:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-push-j7m22-push-dockerfile-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:bacda8cf4b9f5db7c018faf6638a4f1e76a747abeddc20799189877a8a9b9868"
                    }
                ],
                "startTime": "2026-07-03T09:22:47Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d5c035269eb23a585b35c301ae482c0fedc875b4769cc11d827aa70c05f02527",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:02Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7@sha256:bacda8cf4b9f5db7c018faf6638a4f1e76a747abeddc20799189877a8a9b9868\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:01Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                                "--image-digest",
                                "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/883fc2ab-41d2-4a8a-ab7c-272455d9eab6",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:22:43Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan"
                },
                "name": "python-component-28wip7-on-push-j7m22-rpms-signature-scan",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "39907",
                "uid": "883fc2ab-41d2-4a8a-ab7c-272455d9eab6"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:23:46Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:23:46Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-push-j7m22-rpms-signature-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\", \"digests\": [\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:23:45+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:48Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://709480979ac5ecccbcd5d99cf4d3e6c78f7ed725fd38b34d9d5228cb6b8af197",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:44Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:02Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e64ca798bec55f2451fd7cd579689667e5782a0d59a0bbe6e93b8bff11c126e6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:45Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\\\", \\\"digests\\\": [\\\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:23:45+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a76cdb67a0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/d01e5096-400d-4354-88c8-105c7cf9f1c3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:22:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check"
                },
                "name": "python-component-28wip7-on-push-j7m22-sast-shell-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "39695",
                "uid": "d01e5096-400d-4354-88c8-105c7cf9f1c3"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-92e07960d8"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:23:23Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:23:23Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-push-j7m22-sast-shell-check-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:23:05+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:46Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://297f2112f3f8e8a574dcb2ce9c3017b01c39ff8a39baed68e21a354e3ffaf655",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:05Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:23:05+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:03Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f1db2fdf13e70b79aa543272d482732c32151837482fdcead924f008ca44e9ac",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:06Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:23:05+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:06Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a76cdb67a0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/4bb741df-576b-4993-82cd-a9bfc49b0424",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:22:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check"
                },
                "name": "python-component-28wip7-on-push-j7m22-sast-snyk-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "39477",
                "uid": "4bb741df-576b-4993-82cd-a9bfc49b0424"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-92e07960d8"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:23:05Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:23:05Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-push-j7m22-sast-snyk-check-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-03T09:23:03+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:43Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://27b50f8b69ef9a5ef5da77c14488721352b5df4237ad3c889473940d9db641dd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:03Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:23:03+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:02Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://42546c680c088a9967f5abec9d6ac7c9a1830fd5e4b39c343e4da6f572d9a1c2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:04Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:23:03+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:04Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-a76cdb67a0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/0f95eab4-057f-4862-857c-ce983170ed5e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:22:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check"
                },
                "name": "python-component-28wip7-on-push-j7m22-sast-unicode-check",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "39780",
                "uid": "0f95eab4-057f-4862-857c-ce983170ed5e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-92e07960d8"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:23:23Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:23:23Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-push-j7m22-sast-unicode-check-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:23:06+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:22:46Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4d48791c367ae262f1dd1e229fb2827afb8c601a63a3eac1a7747e8c5efa6e86",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:06Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:23:06+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:05Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8ed80ca35770da49c5eab12c2fd304d6c74b4d29ee414439a0f6813eb267e1e2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:08Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:23:06+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:07Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/commit_sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-tuhox9",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lqqecl",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/group-i4dp/pipelinerun/python-component-28wip7-on-push-j7m22",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-tuhox9\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-28wip7-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22773 from redhat-appstudio-qe/konflux-python-component-28wip7\n\nkonflux-ci e2e-tests update python-component-28wip7",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-tuhox9",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8/records/726fcefd-e4f7-45dd-bd7a-da2437f6a16a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a51959f0cf9968e3155749b6c114a7b1bae41bc1\",\"eventType\":\"push\",\"pull_request-id\":22773}",
                    "results.tekton.dev/result": "group-i4dp/results/61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-03T09:22:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-nihz",
                    "appstudio.openshift.io/component": "python-component-28wip7",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84968997179",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-28wip7-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22773",
                    "pipelinesascode.tekton.dev/repository": "go-component-v9b4py",
                    "pipelinesascode.tekton.dev/sha": "a51959f0cf9968e3155749b6c114a7b1bae41bc1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRun": "python-component-28wip7-on-push-j7m22",
                    "tekton.dev/pipelineRunUID": "61fbea71-1006-4818-8ff3-005e79e67ef8",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks"
                },
                "name": "python-component-28wip7-on-push13fbaa391d94ef74258dfbfcefead670",
                "namespace": "group-i4dp",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-28wip7-on-push-j7m22",
                        "uid": "61fbea71-1006-4818-8ff3-005e79e67ef8"
                    }
                ],
                "resourceVersion": "40514",
                "uid": "726fcefd-e4f7-45dd-bd7a-da2437f6a16a"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-28wip7",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:23:56Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:23:56Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-28wip7-on-293b09f7d95aea25d546b246de0d0ddd-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\", \"digests\": [\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070635\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-03T09:22:43Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://e75fe1fada093ef23da0aba64881053a161dc3f9c4fd558cd8594b641e9150ef",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:02Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:01Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://5b058da94f2193934c63bd46cec3bc7bca819c17eef69656ffcc8fd5d6f911a6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:03Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:03Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7ca9dbfe1713aae9eba7ec087f72e11b95b794077032a62439e8195120f9ec2e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:03Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:03Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://be11689ccfb5183314ac09bfd0ee8cc90ef54dd8602a5352f374d663941d2ebd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:54Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\", \"digests\": [\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070635\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://8abc97271d0fedbcbcbecf411337587dab926cca11e448928bd7881161c823af",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:55Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1\\\", \\\"digests\\\": [\\\"sha256:0869ddcc2d1f34999824421c7950c052f8dad47e5599c099d07f8e284ab5643e\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783070635\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:55Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783070635\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://4d39617a7b8b450dfa17e1c874d4c1e3597545da02052d890149d26406d6df13",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:23:56Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783070635\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:23:56Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-i4dp/python-component-28wip7:a51959f0cf9968e3155749b6c114a7b1bae41bc1"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-zcjbry",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "84972125948",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-slsnga",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30788",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/70f07953-9950-4cf5-8d08-58aff4c5567d/records/1f6624ef-d2c6-464d-8109-6b8b0fdeba49",
                    "results.tekton.dev/result": "integration1-dtub/results/70f07953-9950-4cf5-8d08-58aff4c5567d",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783071434000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/result-chains-git-commit": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                },
                "creationTimestamp": "2026-07-03T09:40:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "appstudio.openshift.io/snapshot": "integ-app-5uz1-20260703-093714-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "84972125948",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30788",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-test-p507-7jcm8",
                    "tekton.dev/pipelineRun": "integration-test-p507-7jcm8",
                    "tekton.dev/pipelineRunUID": "70f07953-9950-4cf5-8d08-58aff4c5567d",
                    "tekton.dev/pipelineTask": "task-skipped",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783071634",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b",
                    "test.appstudio.openshift.io/scenario": "integration-test-p507",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-p507-7jcm8-task-skipped",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-p507-7jcm8",
                        "uid": "70f07953-9950-4cf5-8d08-58aff4c5567d"
                    }
                ],
                "resourceVersion": "57943",
                "uid": "1f6624ef-d2c6-464d-8109-6b8b0fdeba49"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SKIPPED"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-p507-7jcm8-task-skipped-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-03T09:40:47+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-03T09:40:39Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2f8068f16f0720d949877be93a9b82d43d6a8fe5658635157998d064b2a9ce7e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:47Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:47+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:47Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SKIPPED --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-zcjbry",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "84972125948",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-slsnga",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30788",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/70f07953-9950-4cf5-8d08-58aff4c5567d/records/ebd3ccc1-e728-4930-b06d-6b629af1004b",
                    "results.tekton.dev/result": "integration1-dtub/results/70f07953-9950-4cf5-8d08-58aff4c5567d",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783071434000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/result-chains-git-commit": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                },
                "creationTimestamp": "2026-07-03T09:40:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "appstudio.openshift.io/snapshot": "integ-app-5uz1-20260703-093714-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "84972125948",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30788",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-test-p507-7jcm8",
                    "tekton.dev/pipelineRun": "integration-test-p507-7jcm8",
                    "tekton.dev/pipelineRunUID": "70f07953-9950-4cf5-8d08-58aff4c5567d",
                    "tekton.dev/pipelineTask": "task-success",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783071634",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b",
                    "test.appstudio.openshift.io/scenario": "integration-test-p507",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-p507-7jcm8-task-success",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-p507-7jcm8",
                        "uid": "70f07953-9950-4cf5-8d08-58aff4c5567d"
                    }
                ],
                "resourceVersion": "57915",
                "uid": "ebd3ccc1-e728-4930-b06d-6b629af1004b"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:46Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:46Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-p507-7jcm8-task-success-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:40:46+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-03T09:40:38Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://12ba336e1018414fdaf5c3da52a8c2ed159dba7a9258bc16e5296f4d1735cdda",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:46Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:46+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:46Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-zcjbry",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "84972125948",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-slsnga",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30788",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/70f07953-9950-4cf5-8d08-58aff4c5567d/records/26ef2ae5-a90f-4196-9322-f68245dba79c",
                    "results.tekton.dev/result": "integration1-dtub/results/70f07953-9950-4cf5-8d08-58aff4c5567d",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783071434000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/result-chains-git-commit": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                },
                "creationTimestamp": "2026-07-03T09:40:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "appstudio.openshift.io/snapshot": "integ-app-5uz1-20260703-093714-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "84972125948",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30788",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-test-p507-7jcm8",
                    "tekton.dev/pipelineRun": "integration-test-p507-7jcm8",
                    "tekton.dev/pipelineRunUID": "70f07953-9950-4cf5-8d08-58aff4c5567d",
                    "tekton.dev/pipelineTask": "task-success-2",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783071634",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b",
                    "test.appstudio.openshift.io/scenario": "integration-test-p507",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-p507-7jcm8-task-success-2",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-p507-7jcm8",
                        "uid": "70f07953-9950-4cf5-8d08-58aff4c5567d"
                    }
                ],
                "resourceVersion": "57920",
                "uid": "26ef2ae5-a90f-4196-9322-f68245dba79c"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:46Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:46Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-p507-7jcm8-task-success-2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:40:45+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-03T09:40:38Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c4ef355cff169ae8e62479e85538431dec4bdadb624159bb042272c6bc7ccbc3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:45Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:45+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-zcjbry",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "84972125948",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-slsnga",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30788",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/34beca9d-413d-44e3-abd1-9038b3c4f819/records/44f79300-cec0-41ee-a3af-e0a93647afa6",
                    "results.tekton.dev/result": "integration1-dtub/results/34beca9d-413d-44e3-abd1-9038b3c4f819",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783071434000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/result-chains-git-commit": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                },
                "creationTimestamp": "2026-07-03T09:40:39Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "appstudio.openshift.io/snapshot": "integ-app-5uz1-20260703-093714-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "84972125948",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30788",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-test-p507-bljt4",
                    "tekton.dev/pipelineRun": "integration-test-p507-bljt4",
                    "tekton.dev/pipelineRunUID": "34beca9d-413d-44e3-abd1-9038b3c4f819",
                    "tekton.dev/pipelineTask": "task-skipped",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783071634",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b",
                    "test.appstudio.openshift.io/run": "integration-test-p507",
                    "test.appstudio.openshift.io/scenario": "integration-test-p507",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-p507-bljt4-task-skipped",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-p507-bljt4",
                        "uid": "34beca9d-413d-44e3-abd1-9038b3c4f819"
                    }
                ],
                "resourceVersion": "58005",
                "uid": "44f79300-cec0-41ee-a3af-e0a93647afa6"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SKIPPED"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-p507-bljt4-task-skipped-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-03T09:40:47+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-03T09:40:40Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://33aeb2432552fb88687944446ee6edc404ea7adb3b9f562b714d2fa893b5dae2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:47Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:47+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:47Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SKIPPED --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-zcjbry",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "84972125948",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-slsnga",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30788",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/34beca9d-413d-44e3-abd1-9038b3c4f819/records/adf6bcf7-ba39-4c0a-9e68-93410d925b4d",
                    "results.tekton.dev/result": "integration1-dtub/results/34beca9d-413d-44e3-abd1-9038b3c4f819",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783071434000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/result-chains-git-commit": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                },
                "creationTimestamp": "2026-07-03T09:40:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "appstudio.openshift.io/snapshot": "integ-app-5uz1-20260703-093714-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "84972125948",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30788",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-test-p507-bljt4",
                    "tekton.dev/pipelineRun": "integration-test-p507-bljt4",
                    "tekton.dev/pipelineRunUID": "34beca9d-413d-44e3-abd1-9038b3c4f819",
                    "tekton.dev/pipelineTask": "task-success",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783071634",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b",
                    "test.appstudio.openshift.io/run": "integration-test-p507",
                    "test.appstudio.openshift.io/scenario": "integration-test-p507",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-p507-bljt4-task-success",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-p507-bljt4",
                        "uid": "34beca9d-413d-44e3-abd1-9038b3c4f819"
                    }
                ],
                "resourceVersion": "57933",
                "uid": "adf6bcf7-ba39-4c0a-9e68-93410d925b4d"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:46Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:46Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-p507-bljt4-task-success-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:40:46+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-03T09:40:39Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cee7a9093e672deb573d4925414e5ea5f12604d053c75b5213aaeb23e5a57343",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:46Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:46+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:46Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-zcjbry",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "84972125948",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-slsnga",
                    "pac.test.appstudio.openshift.io/git-provider": "github",
                    "pac.test.appstudio.openshift.io/installation-id": "72200095",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30788",
                    "pac.test.appstudio.openshift.io/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-e2e-tests[bot]",
                    "pac.test.appstudio.openshift.io/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/34beca9d-413d-44e3-abd1-9038b3c4f819/records/77b91216-4a07-400e-b485-3389b9932a31",
                    "results.tekton.dev/result": "integration1-dtub/results/34beca9d-413d-44e3-abd1-9038b3c4f819",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1783071434000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/result-chains-git-commit": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                },
                "creationTimestamp": "2026-07-03T09:40:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "appstudio.openshift.io/snapshot": "integ-app-5uz1-20260703-093714-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/check-run-id": "84972125948",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "30788",
                    "pac.test.appstudio.openshift.io/repository": "test-component-pac-xi47ct",
                    "pac.test.appstudio.openshift.io/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "redhat-appstudio-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-test-p507-bljt4",
                    "tekton.dev/pipelineRun": "integration-test-p507-bljt4",
                    "tekton.dev/pipelineRunUID": "34beca9d-413d-44e3-abd1-9038b3c4f819",
                    "tekton.dev/pipelineTask": "task-success-2",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1783071634",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b",
                    "test.appstudio.openshift.io/run": "integration-test-p507",
                    "test.appstudio.openshift.io/scenario": "integration-test-p507",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-p507-bljt4-task-success-2",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-p507-bljt4",
                        "uid": "34beca9d-413d-44e3-abd1-9038b3c4f819"
                    }
                ],
                "resourceVersion": "57955",
                "uid": "77b91216-4a07-400e-b485-3389b9932a31"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-p507-bljt4-task-success-2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:40:46+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-03T09:40:40Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9c82a51a1b9cf0735f0ae8a821d7d139c04b7a72f501c4801176ebc7b5d0da3d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:46Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:46+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:46Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/781b6f00-a4af-4e90-b3f3-596588e6414a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:39:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "tes5e429df7563aa99c13949a3c56e24efb-coverity-availability-check",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "57270",
                "uid": "781b6f00-a4af-4e90-b3f3-596588e6414a"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "tes5e429df7563aa99c13949a3cfe802a208f82dba9deae5a9de0e152f1-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-03T09:40:01+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:39:50Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://bf4f3348f53cfa3947720ccf251f74d0b7b0cc8a376f98e8e162aac0cee1fd72",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:01Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:01+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:01Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/f22e30c1-1c12-423a-9b62-f0b84b9eff09",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:39:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "tes5e429df7563aa99c13949a3c56e24efb-deprecated-base-image-check",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "57143",
                "uid": "f22e30c1-1c12-423a-9b62-f0b84b9eff09"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "tes5e429df7563aa99c13949a3c7e41dbb835e35202363e1136a3daba72-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\", \"digests\": [\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:40:02+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:39:49Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c11f6682578cf7097dbf2c753109a176e7893892e1b2ae78586b0a497a6927e2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:02Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\\\", \\\"digests\\\": [\\\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:02+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:39:55Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93b9db8db8",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/b9ee0fb8-4be5-42ac-8405-b64df2d0cf1f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:37:36Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-comp5e429df7563aa99c13949a3c56e24efb-prefetch-dependencies",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "56604",
                "uid": "b9ee0fb8-4be5-42ac-8405-b64df2d0cf1f"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-50060ba8f8"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-slsnga"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:37:45Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:37:45Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp5e429df7563aa99c131a6d05958c41cbb0aa744d4a424eaa38-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-03T09:37:36Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://56c8f0387d88262e3cc0983e84de77136cf25521d8dc44979b5de20122e481f2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:37:44Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:37:40Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/d81d306b-cf24-41a7-9be6-4a1588b17f1c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:39:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-compon5e429df7563aa99c13949a3c56e24efb-rpms-signature-scan",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "57695",
                "uid": "d81d306b-cf24-41a7-9be6-4a1588b17f1c"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:24Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:24Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-compon5e429df7563aa99c75156f7f8c284fae7ceb3841c6266ec7-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\", \"digests\": [\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 132, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:40:22+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:39:52Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://caec7c5c57ad119a94fb21fa9bf23d69ea94a58ee607a5dc510b8f070e1db31b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:21Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:03Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://46fac9eb3f3455cc3d74027ba39e94f7b959f35e02da2530c9e7df1afb86fe0e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:23Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\\\", \\\"digests\\\": [\\\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 132, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:22+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:22Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93b9db8db8",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/31dba264-55b8-4128-ba4b-fdd0928bb94c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:39:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-compone5e429df7563aa99c13949a3c56e24efb-sast-unicode-check",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "57486",
                "uid": "31dba264-55b8-4128-ba4b-fdd0928bb94c"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-50060ba8f8"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:04Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:04Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-compone5e429df7563aa991de4cfe23e789f8120f7979afa28165e-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:40:02+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:39:51Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6d64e8f5d2aad95523f8d3aa9801a08cfb2eb6c17d3846702601953995879c3e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:02Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:02+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:01Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://335c996295c078e8b3b7bf7c31accee8cce2d4a9548ab904baf5556ba3ccf832",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:04Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:02+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:03Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/bc54cd3f-0452-4093-8ad7-58e53d5a3ca1",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:39:39Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-componen5e429df7563aa99c13949a3c56e24efb-build-image-index",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "57136",
                "uid": "bc54cd3f-0452-4093-8ad7-58e53d5a3ca1"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43@sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:39:48Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:39:48Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-componen5e429df7563aa905f83af9480e6b7485d719e2d4f9172b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct@sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    }
                ],
                "startTime": "2026-07-03T09:39:39Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://10c5203e5208ac89bd4fc72aa3ff2c9d193aac77353331155ca2ea2c5ddccae1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:39:45Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct@sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:39:42Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4bb628831d7b77b31ca974b9429f269a0e4391bede90201ba75f7298a8a154ed",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:39:46Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct@sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:39:46Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://39f04d52210b326d38cdc374af0daf68b993f23fa8e663968c6c7ebe23fd7d0d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:39:48Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct@sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:39:46Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "36d7648995318e235d9e732b8e3d3b84d7a77c43"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43@sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:test-componen5e429df7563aa99c13949a3c56e24efb-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:test-componen5e429df7563aa99c13949a3c56e24efb-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/2f4fab8c-2925-43c3-88fa-796507e7812e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:39:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-component-pac-xi47ct-on-pu9e6bc81a64447b98c44d38740a22d4ca",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "57826",
                "uid": "2f4fab8c-2925-43c3-88fa-796507e7812e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:27Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:27Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-xi47ct-oc6ec8cfaaa2e8285a7f8564bd9beb984-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\", \"digests\": [\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783071624\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-03T09:39:49Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://1c1d1bee974f9a75fa5ee9f9ea9044a782e4f71e5a0307e30e0fc18e48b00b8f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:03Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:02Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://27dc4656574a48ee3660e1aa571aa60a08e8a14b3d7bf3ba64e81dbbf6196899",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:04Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c290cde965f2addcd7589bb6c7fe00ade848f0631c993c990b90a6f721190b46",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:04Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:04Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b245c692ee385e66bcddce1312f6ac1a9012a1ef5fec3ac3aaa16daae0084e74",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:23Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:05Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\", \"digests\": [\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783071624\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://3f2b9312abc25bd755ad80ffb9d30d6a0504e4cbeeaec09c5d1d085509c9de60",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:25Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\\\", \\\"digests\\\": [\\\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783071624\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:24Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1783071624\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://a0d14e038803bf7e8498fd0cf2f2101699de9ee6e10ce7208cc12e0ffb82ca02",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:26Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1783071624\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:26Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/ecede3d1-5b0e-47c7-9dec-6adc5be89412",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:39:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-component-pac-xi47ct-on-pull-request-mdf97-apply-tags",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "57493",
                "uid": "ecede3d1-5b0e-47c7-9dec-6adc5be89412"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:01Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:01Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-xi47ct-on-pull-request-mdf97-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-03T09:39:51Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ca2261dd956894db6e0e712768fd7f40b6e2ac1570ae90d3066ade8f63090672",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:01Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:00Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43",
                                "--digest",
                                "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93b9db8db8",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/d20e2a6a-ef01-48c6-b193-021d35f0dd6e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:37:45Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-component-pac-xi47ct-on-pull-request-mdf97-build-container",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "57003",
                "uid": "d20e2a6a-ef01-48c6-b193-021d35f0dd6e"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-50060ba8f8"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:39:38Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:39:38Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-xi47ct-oaf0e2f2ee3eda0e350640e00635e4179-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43@sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct@sha256:0ee343c5ed7e3923f3977af63844b10526450fbe660f023786ae3a643707d7e6"
                    }
                ],
                "startTime": "2026-07-03T09:37:45Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e5020fd7442dfeedcd52bf5a4124ba3d39f423fb4a47e73ba86faa1e84678642",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:38:20Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:37:52Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ccff2533a842f435f0e662cd52d9da6933e5e47f9688b62926e01724cf0a052d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:38:40Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43@sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:38:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://67fa64f6c17a4969f6cbd8df98e9fa1a8b2ac2af36a419adc2f02368e5843004",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:38:50Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43@sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:38:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0ae6e1c7ce79c88f08ee4f3b887fc9c9bec20cb2bfb58c2977bb2083f3c72d8a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:39:08Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43@sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:38:50Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://135b3043262bd7de4f97c71f0ec0256fd3111d664b10fddf840c56a0fdebd412",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:39:38Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43@sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct@sha256:0ee343c5ed7e3923f3977af63844b10526450fbe660f023786ae3a643707d7e6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:39:09Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "test-component-pac-xi47ct-on-pull-request-mdf97-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/05542268-0b90-4738-9f42-adcf29f521cd",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:39:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-component-pac-xi47ct-on-pull-request-mdf97-clair-scan",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "57831",
                "uid": "05542268-0b90-4738-9f42-adcf29f521cd"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:30Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:30Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-xi47ct-on-pull-request-mdf97-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\", \"digests\": [\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\":\"sha256:a654ba5b6fd070c8e690c67eb093fc6f2ac23d6ab78fb9b79e05a7003f86b0f2\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":147,\"low\":150,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:40:27+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:39:49Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4dc771821e323f86d112cdc4db9009c712337672d516bd57c723c4426ba00b2b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:06Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:01Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://59e63c9374c6f3e63149e087d3b00a57b68a93d5f723d06884961ba20eec64ac",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:21Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:06Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3e835643ef3b7e250332500e2c57c436df29164afbac21e03050be2a6a64c8e7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:24Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ba0cb0d4642b4d82033ff6f289a9361fcf8610bd5a8d27792b6e81196d68c3d6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:27Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\\\", \\\"digests\\\": [\\\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\\\":\\\"sha256:a654ba5b6fd070c8e690c67eb093fc6f2ac23d6ab78fb9b79e05a7003f86b0f2\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":147,\\\"low\\\":150,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:27+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:24Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/6ceb9700-c812-4a51-b342-d9b962efa6e4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:39:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-component-pac-xi47ct-on-pull-request-mdf97-clamav-scan",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "57892",
                "uid": "6ceb9700-c812-4a51-b342-d9b962efa6e4"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-xi47ct-on-pull-request-mdf97-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\", \"digests\": [\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1783071631\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-03T09:39:50Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:9b2b049119587b5e4e09297ce119396c17717381bbcd1a89041fdf3216073d36",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ed5341025366de3b30ba18c50885eadc051cb0bcc87f6ce67e2e2771abbf6cbf",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:31Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\\\", \\\"digests\\\": [\\\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783071631\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:02Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2903a756b634093ebf64f01a3fe22daf910abbd4e6a5e1a04ba8fd6225134a36",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:33Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43\\\", \\\"digests\\\": [\\\"sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1783071631\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:31Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/5ef24ae1-6cf0-473d-aa2d-643518f4dbda",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:37:24Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-component-pac-xi47ct-on-pull-request-mdf97-init",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "55898",
                "uid": "5ef24ae1-6cf0-473d-aa2d-643518f4dbda"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:37:29Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:37:29Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-xi47ct-on-pull-request-mdf97-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-03T09:37:24Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://76fcf23550c06c349709d346ed4fb84e6fa972f4e293b256ffd767db72f5d57a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:37:28Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:37:28Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93b9db8db8",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/eb216061-55e4-4aad-8db6-52969739bea6",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:39:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-component-pac-xi47ct-on-pull-request-mdf97-push-dockerfile",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "57657",
                "uid": "eb216061-55e4-4aad-8db6-52969739bea6"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-50060ba8f8"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:04Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:04Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-xi47ct-o9e75d95b57c072b6833a27a64ed0abd2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct@sha256:c6ec2e358fc5ca5f8b75a7583410bb05d505aae93de1d7ffe33097a03d9169a4"
                    }
                ],
                "startTime": "2026-07-03T09:39:52Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://375fad15136143574af51ed05b7a681e75212ffa3235f72b7f9bc0333a97d06a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:04Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct@sha256:c6ec2e358fc5ca5f8b75a7583410bb05d505aae93de1d7ffe33097a03d9169a4\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:02Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                ".",
                                "--containerfile",
                                "Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43",
                                "--image-digest",
                                "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93b9db8db8",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/445ef021-9a71-4777-ad9e-796c151e8917",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:39:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-component-pac-xi47ct-on-pull-request-mdf97-sast-snyk-check",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "57186",
                "uid": "445ef021-9a71-4777-ad9e-796c151e8917"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-50060ba8f8"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:03Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:03Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component-pac-xi47ct-oc7979c2f1696b0749c91334b46f333f4-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-03T09:40:02+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:39:49Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6357935f8e7ad44152a57d6e1653d521056853e3620bc9a3ca40b7b1092b7565",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:02Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:02+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:01Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://efc56fbe1934405e7ee76d17d3f3d799a6cc25447764c40f95b69f03f491dd0d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:02Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:02+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:02Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93b9db8db8",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/e814e489-1b03-43a3-9ccf-51cd045193b8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:37:29Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-component5e429df7563aa99c13949a3c56e24efb-clone-repository",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "56006",
                "uid": "e814e489-1b03-43a3-9ccf-51cd045193b8"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                    },
                    {
                        "name": "revision",
                        "value": "36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-50060ba8f8"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-slsnga"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:37:36Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:37:36Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component5e429df7563aac80b42738dd8191e44266f06de169b59-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1783071430"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "36d7648"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                    }
                ],
                "startTime": "2026-07-03T09:37:29Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ee4556cd328d3e14712aa3a8e15367719c47a7b6169dd94be9261ee5871a3484",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:37:34Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration\",\"type\":1},{\"key\":\"commit\",\"value\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783071430\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"36d7648\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:37:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5083a5b714f5ce86221fe9a9f34ac46b382b15b91c77625222bf3a93f266f1f0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:37:35Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration\",\"type\":1},{\"key\":\"commit\",\"value\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1783071430\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"36d7648\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:37:35Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration?rev=36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/commit_sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "build.appstudio.redhat.com/pull_request_number": "30788",
                    "build.appstudio.redhat.com/target_branch": "base-zcjbry",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93b9db8db8",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-zcjbry",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-slsnga",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://44.218.3.198:9443/ns/integration1-dtub/pipelinerun/test-component-pac-xi47ct-on-pull-request-mdf97",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-zcjbry\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration/commit/36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452/records/a930aa4f-bd07-41ea-9ffa-0a7faf1306f1",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration\",\"commit\":\"36d7648995318e235d9e732b8e3d3b84d7a77c43\",\"eventType\":\"pull_request\",\"pull_request-id\":30788}",
                    "results.tekton.dev/result": "integration1-dtub/results/90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-component-pac-xi47ct",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-03T09:39:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-5uz1",
                    "appstudio.openshift.io/component": "test-component-pac-xi47ct",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84972125948",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-component-pac-xi47ct-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "30788",
                    "pipelinesascode.tekton.dev/repository": "test-component-pac-xi47ct",
                    "pipelinesascode.tekton.dev/sha": "36d7648995318e235d9e732b8e3d3b84d7a77c43",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRun": "test-component-pac-xi47ct-on-pull-request-mdf97",
                    "tekton.dev/pipelineRunUID": "90f9bafe-f47f-4f65-a2a4-ce15948e8452",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "086ea687dbe778cee8b9ed2ceccf8d39d0bcf8dc9cdb2cff51e0346dc5e99b"
                },
                "name": "test-component5e429df7563aa99c13949a3c56e24efb-sast-shell-check",
                "namespace": "integration1-dtub",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-component-pac-xi47ct-on-pull-request-mdf97",
                        "uid": "90f9bafe-f47f-4f65-a2a4-ce15948e8452"
                    }
                ],
                "resourceVersion": "57296",
                "uid": "a930aa4f-bd07-41ea-9ffa-0a7faf1306f1"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-component-pac-xi47ct",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-50060ba8f8"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-03T09:40:04Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-03T09:40:04Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-component5e429df7563aae813e827f6b747d42f82f78abdeb1809-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-03T09:40:02+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-03T09:39:50Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://69e13faf613bf103af74f911f353f9828f944e507d869648c7bed442bc2d303f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:02Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:02+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:01Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f06f883d825cd155fbc6f478f6d326998b0cfbe3dbfcb116effc5af493d1a5ca",
                            "exitCode": 0,
                            "finishedAt": "2026-07-03T09:40:04Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-03T09:40:02+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-03T09:40:03Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/integration1-dtub/test-component-pac-xi47ct:on-pr-36d7648995318e235d9e732b8e3d3b84d7a77c43"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:785c0d6a2a07af2efd1875df57e010ee99c1972bb7d05b9c45b1144091e7286a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        }
    ],
    "kind": "List",
    "metadata": {
        "resourceVersion": ""
    }
}
